CVE-2025-66644

Name of the Vulnerable Software and Affected Versions Array Networks ArrayOS AG versions prior to 9.4.5.9

Description Array Networks ArrayOS AG before version 9.4.5.9 contains a command injection flaw. This issue has been exploited in the wild, specifically between August and December 2025, including instances in Japan where it was used to deploy PHP webshells. Approximately 19,900 instances are potentially exposed. The flaw allows for arbitrary code execution. The vulnerability involves the injection of commands into the system.

Recommendations Versions prior to 9.4.5.9 should be updated to version 9.4.5.9 or later.