CVE-2025-66644 Array Networks CVE debrief

Who should care

Administrators, security teams, and asset owners responsible for Array Networks ArrayOS AG deployments should treat this as urgent. Organizations that rely on the product for perimeter or remote access functions should verify exposure and follow CISA/vendor mitigation guidance immediately.

Technical summary

The available source material identifies CVE-2025-66644 as an OS command injection vulnerability in Array Networks ArrayOS AG. CISA’s KEV record marks it as known exploited and directs organizations to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The supplied corpus does not provide exploit mechanics, affected versions, or a CVSS score.

Defensive priority

Highest priority. Because CISA has added the issue to KEV, remediation or compensating controls should be treated as urgent and time-bound.

Recommended defensive actions

• Review the Array Networks vendor guidance referenced by CISA and apply the documented mitigations as soon as possible.
• Confirm whether any ArrayOS AG instances are deployed in your environment, including externally reachable deployments.
• If mitigations are unavailable or cannot be applied quickly, follow CISA’s guidance to discontinue use of the product.
• If the product is used in a cloud-service context, follow applicable BOD 22-01 guidance.
• Validate that security monitoring and alerting cover the affected systems during the remediation window.

Evidence notes

Evidence in the supplied corpus is limited to the CVE record, CISA KEV entry, and official reference links. The KEV entry names Array Networks as the vendor, ArrayOS AG as the product, and identifies the vulnerability as an OS command injection issue with a KEV date added of 2025-12-08 and due date of 2025-12-29. No CVSS score, exploit details, version range, or remediation specifics were provided in the corpus.

Official resources