Array Networks ArrayOS AG Exploitation CVE-2025-66644

Potential Affected Sectors

·         Any organization using the affected Array Networks AG products.

Potential Affected Countries

·         Global

BLUF

An OS command injection vulnerability in Array Networks ArrayOS AG allows for potential unauthenticated command execution on the system.

Date of First Reported Activity

·         December 8, 2025

Date of Last Reported Activity Update

·         December 8, 2025

CVE-2025-66644

Array Networks ArrayOS AG OS Command Injection Vulnerability.

CVSS v3.1

·         (7.2) AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·         Not available at this time

Is this on the KEV list

·         Yes, as of December 8, 2025.

Patch by Date on KEV list

·         December 29, 2025, for U.S. Federal Civilian Executive Branch (FCEB) agencies.

Patching/Mitigation Data

URL link to patch

Array Networks Support Portal (AG Series Downloads)

·         hxxps://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html

APT Names

No specific APT or criminal organization named in the provided snippets.

IOCs

Host-Based Indicators (on the Array AG device)

·         Unauthorized Files: The presence of unknown scripts or files in publicly accessible directories, which typically indicates a web shell has been uploaded (e.g., in web roots).

·         Modified System Files: Unauthorized changes to system binaries or configuration files that might indicate a persistence mechanism or privilege escalation attempt.

·         Anomalous Processes: The execution of unexpected system commands or the spawning of unusual child processes by the web application or management interface process.

Network Indicators

·         Unusual Outbound Traffic: The device initiating connections to unknown IP addresses or domains, which could indicate data exfiltration (C2 traffic) or the downloading of secondary malware payloads.

·         Geographic Anomalies: Traffic originating from or connecting to geographic locations where the organization does not have normal business operations.

·         Spikes in Database Read Volume: While less specific, a sudden increase in data access could indicate data staging for exfiltration.

TTPs

TA0001: Initial Access

·         T1190: Exploit Public-facing Application: The primary TTP involves exploiting the command injection vulnerability in the internet-accessible Array Networks AG gateway via the DesktopDirect feature. Attackers abuse HTTP headers to inject commands without requiring authentication.

TA0002: Execution

·         T1059.004: Command and Scripting Interpreter: Unix Shell: The core of the vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command) is the execution of OS commands via an application input field. This allows attackers to run malicious commands directly on the underlying Linux operating system.

TA0003: Persistence

·         T1505.003: Server Software Component: Web Shell: A key observed TTP is the dropping of PHP web shells onto the compromised device's file system. The web shell serves as a persistent backdoor, allowing subsequent, easier access and control by the attacker.

TA0008: Lateral Movement

·         T1021: Remote Services: Once control of the gateway is established, threat actors use the compromised device as a pivot point to move laterally into the internal network.

·         T1071.001: Application Layer Protocol: Web Protocols (HXXPS/WebSockets): The malware associated with these campaigns (such as "BRICKSTORM" in related campaigns) uses encrypted protocols like HXXPS and WebSockets for stealthy Command and Control (C2) communications and data tunneling.

TA0011: Command and Control

·         T1071.004: Application Layer Protocol: DNS (DNS-over-HXXPS): Attackers have been observed using DoH to further conceal C2 communications, making detection more difficult for traditional network monitoring tools.

Delivery Method

Remote exploitation via network access.

Email Samples

·         Not applicable/available.

References

Array Networks Support Portal (AG Series Downloads)

·         hxxps://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html

Array Networks Announcement on X (formerly Twitter)

·         hxxps://x.com/ArraySupport/status/1921373397533032590

JP CERT Advisory (AT25-0024)

·         hxxps://www.jpcert.or.jp/at/2025/at250024.html

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2025-66644

CISA Known Exploited Vulnerabilities (KEV) Catalog Entry

·         hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644

·         hxxps://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog

Security Researcher & News Links

BleepingComputer

·         hxxps://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/

GitHub Advisory

·         hxxps://github.com/advisories/GHSA-hqfm-g725-ccqr

CVE Details Page

·         hxxps://www.cvedetails.com/cve/CVE-2025-66644/