CVE-2025-66644 is an OS command injection vulnerability identified in Array Networks' ArrayOS AG product, affecting all versions prior to 9.4.5.9. The vulnerability is classified under CWE-78, indicating improper neutralization of special elements used in OS commands. This flaw allows an attacker with high privileges (authenticated) to inject arbitrary operating system commands remotely without requiring user interaction. The vulnerability was actively exploited in the wild from August through December 2025, highlighting its real-world impact. The CVSS v3.1 base score is 7.2, reflecting a high severity due to network attack vector, low attack complexity, required privileges, and full impact on confidentiality, integrity, and availability. ArrayOS AG is a network application delivery controller used to optimize and secure application traffic, making it a critical component in enterprise and service provider environments. The lack of available patches at the time of disclosure emphasizes the urgency for organizations to apply updates once available. The vulnerability could allow attackers to execute arbitrary commands on the underlying OS, potentially leading to full system compromise, data exfiltration, or disruption of services. The exploitation requires authenticated access with high privileges, which means attackers must first gain such access, but no user interaction is needed once authenticated. This vulnerability underscores the importance of secure coding practices, especially input validation and command sanitization in network infrastructure products.

For European organizations, the impact of CVE-2025-66644 is significant due to the critical role ArrayOS AG plays in managing and securing network traffic. Successful exploitation can lead to complete compromise of the affected device, resulting in unauthorized access to sensitive data, disruption of network services, and potential pivoting to other internal systems. This can affect confidentiality by exposing sensitive information, integrity by allowing unauthorized changes, and availability by causing service outages. Sectors such as finance, telecommunications, government, and critical infrastructure that rely on Array Networks for secure application delivery are particularly at risk. The exploitation window from August to December 2025 indicates active targeting, possibly by sophisticated threat actors. European organizations may face regulatory consequences under GDPR if data breaches occur. The requirement for high privileges to exploit the vulnerability means insider threats or compromised credentials are key risk factors. The absence of user interaction lowers the barrier for automated exploitation once access is obtained. Overall, the vulnerability poses a high operational and reputational risk to European enterprises and service providers.

1. Immediately upgrade ArrayOS AG to version 9.4.5.9 or later once patches are released by Array Networks. 2. Restrict administrative access to ArrayOS AG devices using network segmentation, VPNs, and strict access control lists to limit exposure. 3. Enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 4. Monitor logs and network traffic for unusual command execution patterns or unauthorized access attempts. 5. Implement strict input validation and command sanitization on any interfaces interacting with OS commands, if customization or scripting is used. 6. Conduct regular security audits and vulnerability assessments on network infrastructure devices. 7. Prepare incident response plans specifically addressing potential OS command injection exploitation scenarios. 8. Educate privileged users about the risks and signs of compromise to detect insider threats early. 9. Consider deploying endpoint detection and response (EDR) solutions on devices managing ArrayOS AG to detect anomalous behavior. 10. Coordinate with Array Networks support and subscribe to security advisories for timely updates.