CVE-2025-66644:

Command injection vulnerability in Array Networks ArrayOS AG prior to version 9.4.5.9

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Dec 5, 2025
CISA KEV Date:Dec 8, 2025
Industries Affected:20

Armis Early Warning:

3 Days

Threat Predictions

EPSS Score:2.9
EPSS Percentile:86%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Command injection vulnerability in Array Networks ArrayOS AG prior to version 9.4.5.9

Overview

The vulnerability (CVE-2025-66644) in Array Networks ArrayOS AG is a command injection flaw, classified as CWE-78. It has a CVSS v3.1 base score of 7.2, categorized as HIGH severity. The attack vector is network-based, with low attack complexity and no user interaction required. While it requires high privileges to exploit, the potential impact on confidentiality, integrity, and availability is significant. The vulnerability affects the system's security by allowing attackers to inject and execute arbitrary commands, potentially leading to unauthorized access, data theft, or system compromise.

Remediation

To address this vulnerability, organizations using Array Networks ArrayOS AG should take the following steps:
1. Update to ArrayOS AG version 9.4.5.9 or later as soon as possible.
2. If immediate updating is not feasible, implement network segmentation and access controls to limit exposure.
3. Monitor systems for unusual activities or signs of exploitation.
4. Conduct a thorough security audit to ensure no compromise has occurred.
5. Implement robust logging and monitoring solutions to detect potential exploitation attempts.
6. Review and strengthen access controls and authentication mechanisms.
7. Consider implementing additional security layers such as Web Application Firewalls (WAF) for added protection.