Main Vulnerability Database Vulnerabilities #VU119384

OS command injection in ArrayOS - CVE-2025-66644

Published: December 8, 2025 / Updated: April 15, 2026

Vulnerability identifier: #VU119384

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2025-66644

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Array Networks

Affected software:
ArrayOS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the DesktopDirect feature. A remote authenticated user can send specially crafted data to the application and execute arbitrary OS commands on the target system.

Note, the vulnerability is being actively exploited in the wild since August 2025.

How to mitigate CVE-2025-66644

Install updates from vendor's website available since May 2025.

Sources

https://www.jpcert.or.jp/at/2025/at250024.html

OS command injection in ArrayOS - CVE-2025-66644

Detailed vulnerability description

How to mitigate CVE-2025-66644

Sources

Please verify you're human