What is the CVSS score of CVE-2025-66644?

CVE-2025-66644 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 3.1%.

Which versions of Arrayos Ag are affected by CVE-2025-66644?

Array Networks ArrayOS AG versions prior to 9.4.5.9 contain an authenticated OS command injection vulnerability that is confirmed actively exploited (CISA KEV) and poses direct risk to VPN/SSL-VPN…. A patch is available.

Is CVE-2025-66644 being actively exploited?

Yes, CVE-2025-66644 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-66644?

Within 24 hours: Identify all ArrayOS AG appliances in production and document current versions via inventory systems. Within 7 days: Upgrade all affected instances to ArrayOS AG 9.4.5.9 or later per Array Networks guidance; coordinate with network operations to schedule maintenance windows with minimal business disruption. Within 30 days: Conduct post-patch validation testing on VPN connectivity and SSL-VPN access controls; review access logs for unauthorized command execution attempts during the exploitation window (August-December 2025).

Arrayos Ag CVE-2025-66644

EUVD-2025-201500 HIGH

OS Command Injection (CWE-78)

2025-12-05 cve@mitre.org

Command Injection Arrayos Ag

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:23 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

9.4.5.9

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201500

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

Added to CISA KEV

Dec 10, 2025 - 02:00 cisa

CISA KEV

CVE Published

Dec 05, 2025 - 19:15 nvd

HIGH 7.2

DescriptionNVD

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

AnalysisAI

Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device.

Technical ContextAI

Array Networks AG is an SSL VPN appliance deployed at network perimeters. The command injection vulnerability allows authenticated users to inject OS commands through the appliance's management or VPN interface. The extended exploitation period (August-December 2025) suggests this was used as a zero-day by advanced threat actors, likely for initial access into corporate networks through the VPN edge device.

RemediationAI

Upgrade ArrayOS AG to 9.4.5.9+ immediately. Assume compromise if running vulnerable version during Aug-Dec 2025. Conduct incident response investigation. Reset all VPN user credentials. Review internal network for lateral movement indicators. Check for persistent backdoors on the appliance.

CVE-2025-66644 vulnerability details – vuln.today

Back

Arrayos Ag CVE-2025-66644

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code