CVE-2025-66644 — Array Networks ArrayOS AG OS Command Injection Vulnerability

2025-12-08 • CISA Known Exploited Vulnerability

[event] Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.

> AFFECTED SOFTWARE

Field	Value
Vendor	Array Networks
Product	ArrayOS AG
CWE	CWE-78
CVE ID	CVE-2025-66644
Date Added	2025-12-08
Due Date	2025-12-29
Ransomware Campaign	Unknown

> MITIGATION

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Due Date: 2025-12-29

> REFERENCES

[1] https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/a...
[2] https://www.jpcert.or.jp/at/2025/at250024.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-66644