Command Injection Vulnerability in Array Networks ArrayOS
CVE-2025-66644
Key Information:
- Vendor
Array Networks
- Status
- Vendor
- CVE Published:
- 5 December 2025
Badges
What is CVE-2025-66644?
Array Networks' ArrayOS AG, prior to version 9.4.5.9, is susceptible to a command injection vulnerability that has been actively exploited in the wild from August to December 2025. This vulnerability allows attackers to execute arbitrary commands on the host system by sending crafted requests, compromising the integrity and confidentiality of the application and potentially leading to unauthorized access and control over affected systems.
CISA has reported CVE-2025-66644
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-66644 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
ArrayOS AG 0 < 9.4.5.9
References
CVSS V3.1
Timeline
- ๐พ
Exploit known to exist
- ๐ฆ
CISA Reported
Vulnerability published
Vulnerability Reserved