CVE-2025-66644 is an OS command injection vulnerability classified under CWE-78 affecting Array Networks' ArrayOS AG software prior to version 9.4.5.9. This vulnerability arises from improper neutralization of special elements in OS commands, allowing an authenticated attacker with high privileges to inject and execute arbitrary commands on the underlying operating system. The vulnerability does not require user interaction but does require the attacker to have some level of privileged access (PR:H). The CVSS 3.1 base score is 7.2, reflecting a high severity due to the network attack vector (AV:N), low attack complexity (AC:L), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no official patch links are provided in the data, the vendor has presumably addressed this issue in version 9.4.5.9 or later. Exploitation in the wild was observed between August and December 2025, indicating active targeting by threat actors. The vulnerability could allow attackers to fully compromise affected systems, leading to data breaches, service disruption, or lateral movement within networks. ArrayOS AG is commonly deployed in enterprise environments for application delivery and network security, making this vulnerability particularly critical for organizations relying on these systems.

For European organizations, the impact of CVE-2025-66644 can be severe. Successful exploitation could lead to full system compromise, exposing sensitive data and disrupting critical network services. Enterprises using ArrayOS AG for secure application delivery or network access may face operational downtime, data exfiltration, or ransomware attacks. The high integrity and availability impact could affect business continuity and trust. Given the active exploitation window in late 2025, organizations that delay patching risk becoming targets of sophisticated threat actors. The breach of these systems could also have cascading effects on connected infrastructure and third-party services. Regulatory implications under GDPR and other data protection laws may arise if personal or sensitive data is compromised.

Organizations should immediately upgrade ArrayOS AG to version 9.4.5.9 or later where the vulnerability is fixed. In the absence of an official patch, apply vendor-recommended workarounds or disable vulnerable features if possible. Restrict administrative access to trusted personnel and networks using strong authentication methods and network segmentation. Implement strict monitoring and logging of administrative commands and network traffic to detect anomalous activities indicative of exploitation attempts. Conduct thorough vulnerability assessments and penetration testing focused on ArrayOS AG instances. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection patterns. Maintain up-to-date backups and incident response plans to minimize impact in case of compromise. Engage with Array Networks support for guidance and updates.