Detect Array Networks ArrayOS AG OS Command Injection (CVE-2025-66644) in Microsoft Sentinel
Detects exploitation of CVE-2025-66644, an OS command injection vulnerability in Array Networks ArrayOS AG. This vulnerability allows remote attackers to execute arbitrary operating system commands through the Array Networks SSL VPN/ZTNA gateway. The flaw is tracked by CISA as a Known Exploited Vulnerability (KEV), indicating active in-the-wild exploitation. Attackers may leverage this to gain initial access, establish persistence, or pivot laterally within the network.
MITRE ATT&CK
KQL Detection Query
let ArrayNetworksIPs = dynamic([]);
let SuspiciousCommands = dynamic(['wget', 'curl', 'chmod', 'bash', 'sh', 'nc', 'ncat', 'python', 'perl', 'ruby', '/tmp/', '/dev/shm', 'base64', 'id;', 'whoami', 'uname', '&&', '||', '`', '$()']);
union isfuzzy=true
(
CommonSecurityLog
| where DeviceVendor has_any ('Array Networks', 'ArrayNetworks')
| where Activity has_any ('command', 'exec', 'injection', 'shell', 'os')
or Message has_any (SuspiciousCommands)
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, Activity, Message, AdditionalExtensions
| extend AlertReason = 'Array Networks device activity with suspicious command patterns'
),
(
Syslog
| where Computer has_any ('arrayos', 'array-ag', 'arrayvpn')
or ProcessName has_any ('ag', 'arrayd', 'arrayos')
| where SyslogMessage has_any (SuspiciousCommands)
| project TimeGenerated, Computer, ProcessName, SyslogMessage, HostIP
| extend AlertReason = 'ArrayOS syslog with OS command injection indicators'
),
(
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ('wget', 'curl', 'nc', 'bash', 'sh', 'python')
| where InitiatingProcessParentFileName has_any ('ag', 'arrayd', 'httpd', 'nginx')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName
| extend AlertReason = 'Suspicious child process spawned from Array Networks gateway process'
)
| order by TimeGenerated descDetects CVE-2025-66644 exploitation via CommonSecurityLog entries from Array Networks devices containing suspicious OS command patterns, Syslog events from ArrayOS hosts with injection indicators, and endpoint telemetry showing suspicious child processes spawned from gateway processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative scripts run on the Array Networks appliance by authorized personnel
- Automated monitoring or health-check tools that spawn shell commands via the gateway management interface
- Security scanning tools performing authorized vulnerability assessments against the appliance
- Patch or update processes that invoke shell utilities during maintenance windows
Other platforms for CVE-2025-66644
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Array Networks OS Command Injection via HTTP Request
Expected signal: Web access log entry on the target appliance showing POST request to /cgi-bin/login with URL-encoded shell metacharacters (';id;') in the username parameter
- Test 2Spawn Reverse Shell from Simulated Compromised Array Gateway Process
Expected signal: Endpoint process telemetry showing bash process with parent matching gateway daemon, network telemetry showing outbound TCP connection to ATTACKER_IP:4444 from the gateway host
- Test 3Download and Execute Payload via Injected wget Command
Expected signal: Process telemetry showing wget execution with external URL argument spawned from a gateway-related parent process; DNS query for ATTACKER_IP hostname; outbound HTTP connection to ATTACKER_IP:8080
Unlock Pro Content
Get the full detection package for CVE-2025-66644 including response playbook, investigation guide, and atomic red team tests.