CVE-2025-66644
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arraynetworks | arrayos_ag | to 9.4.5.9 (exc) |
| arraynetworks | ag1000 | * |
| arraynetworks | ag1000t | * |
| arraynetworks | ag1000v5 | * |
| arraynetworks | ag1100 | * |
| arraynetworks | ag1100v5 | * |
| arraynetworks | ag1150 | * |
| arraynetworks | ag1200 | * |
| arraynetworks | ag1200v5 | * |
| arraynetworks | ag1500 | * |
| arraynetworks | ag1500fips | * |
| arraynetworks | ag1500v5 | * |
| arraynetworks | ag1600 | * |
| arraynetworks | ag1600v5 | * |
| arraynetworks | vxag | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in Array Networks ArrayOS AG versions before 9.4.5.9. It allows an attacker to execute arbitrary commands on the affected system. The vulnerability was actively exploited in the wild between August and December 2025.
How can this vulnerability impact me? :
The vulnerability can have a severe impact as it allows an attacker to execute arbitrary commands with high privileges, potentially leading to full compromise of the affected system. This can result in unauthorized access, data theft, service disruption, and other malicious activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves investigating signs of compromise such as the presence of unauthorized PHP webshells in the /ca/aproxy/webapp/ directory and the creation of rogue users on the device. Network monitoring for suspicious traffic, especially communications to the IP address 194.233.100.138, which has been linked to attacks, is also recommended. While specific commands are not provided in the resources, typical steps include checking for unexpected files in the webapp directory, reviewing user accounts for unauthorized additions, and analyzing logs for unusual activity before rebooting the device, as rebooting may erase logs critical for investigation. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update ArrayOS AG to version 9.4.5.9, which contains the patch for this vulnerability. Before applying the update, preserve logs as rebooting the device may erase them. If updating is not immediately feasible, disable all DesktopDirect services if they are not in use and implement URL filtering to block URLs containing semicolons (';'), which are commonly used in the injection payloads. Following vendor and reseller guidance for investigation and countermeasures is also advised. [2, 3]