Main Vulnerability Database Vulnerabilities #VU119384

#VU119384 OS command injection in ArrayOS

Published: December 8, 2025

Vulnerability identifier: #VU119384

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
ArrayOS

Software vendor:
Array Networks

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the DesktopDirect feature. A remote authenticated user can send specially crafted data to the application and execute arbitrary OS commands on the target system.

Note, the vulnerability is being actively exploited in the wild since August 2025.

Remediation

Install updates from vendor's website available since May 2025.

External links

https://www.jpcert.or.jp/at/2025/at250024.html

#VU119384 OS command injection in ArrayOS

Description

Remediation

External links

Please verify you're human