CVE-2025-66644

Warnung

Medienbericht

EPSS 3.51%
Veröffentlicht 05.12.2025 00:00:00
Zuletzt bearbeitet 10.12.2025 02:00:02
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Arraynetworks ≫ Arrayos Ag Version < 9.4.5.9

   Arraynetworks ≫ Ag1000 Version-
   Arraynetworks ≫ Ag1000t Version-
   Arraynetworks ≫ Ag1000v5 Version-
   Arraynetworks ≫ Ag1100 Version-
   Arraynetworks ≫ Ag1100v5 Version-
   Arraynetworks ≫ Ag1150 Version-
   Arraynetworks ≫ Ag1200 Version-
   Arraynetworks ≫ Ag1200v5 Version-
   Arraynetworks ≫ Ag1500 Version-
   Arraynetworks ≫ Ag1500fips Version-
   Arraynetworks ≫ Ag1500v5 Version-
   Arraynetworks ≫ Ag1600 Version-
   Arraynetworks ≫ Ag1600v5 Version-
   Arraynetworks ≫ Vxag Version-

08.12.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Array Networks ArrayOS AG OS Command Injection Vulnerability

Schwachstelle

Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.51%	0.872

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cve@mitre.org	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://www.jpcert.or.jp/at/2025/at250024.html

Third Party Advisory

https://x.com/ArraySupport/status/1921373397533032590

Third Party Advisory

https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/

Press/Media Coverage

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-66644

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66644

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66644

EUVD