CVE-2025-66644 HIGH

CVE-2025-66644

Vendor Array Networks

Product ArrayOS AG

Weakness CWE-78

KEV Status Known Exploited

Published December 5, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

December 5, 2025 CVE published

February 26, 2026 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-66644 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html CISA KEV Reference https://support.arraynetworks.net/prx/001/http/supportportal.a… CISA KEV Reference https://www.jpcert.or.jp/at/2025/at250024.html CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2025-66644

Related vulnerabilities

CVE-2025-66644

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE