CVE-2025-66644

What is Array Networks ArrayOS AG?

Array Networks AG (Application Gateway) is a SSL VPN and network access control appliance deployed by enterprises and government agencies for remote access to internal network resources. AG appliances provide user authentication, endpoint compliance checking, and encrypted VPN tunneling — sitting at the internet perimeter and processing all remote access traffic. Array Networks has a significant installed base in Japan (contributing to JPCERT's advisory) and other Asia-Pacific markets, as well as enterprise and government deployments globally.

Overview

CVE-2025-66644 is an OS command injection vulnerability (CWE-78) in Array Networks ArrayOS AG, exploitable by an authenticated administrator via the DesktopDirect feature. Despite requiring high privileges (PR:H), active exploitation was confirmed by JPCERT/CC beginning as early as August 2025 — suggesting attackers either compromised admin credentials through other means or exploited related authentication weaknesses. Post-exploitation webshell deployment was observed on compromised appliances. Command-and-control traffic was traced to IP 194.233.100[.]138. The patch was released May 11, 2025, but the CVE was not published until December 2025, creating a months-long unpatched window for organizations unaware of the silent fix.

Affected Versions

Technical Details

The OS command injection (CWE-78) exists in the DesktopDirect feature of ArrayOS AG. The DesktopDirect component provides browser-based remote desktop access to internal resources. User-supplied input in certain DesktopDirect administrative functions is passed to OS-level command execution without sufficient sanitization — allowing an authenticated administrator to inject shell metacharacters that execute arbitrary OS commands.

JPCERT/CC identified that the injection vector involves semicolons in URL parameters — a common shell injection character. JPCERT advised blocking semicolons in URLs as a temporary mitigation for organizations that could not patch immediately.

Key characteristics:

• Admin-level authentication required (PR:H) — attackers likely obtained credentials through credential stuffing, phishing, or a related authentication weakness
• Commands execute with the privileges of the ArrayOS service (typically root)
• Webshells were deployed post-exploitation for persistent access
• C2 communication observed from compromised appliances to 194.233.100[.]138

Historical context: A prior Array Networks AG vulnerability was exploited by MirrorFace, a Chinese APT, in campaigns against Japanese organizations — making Array Networks devices a known target for state-sponsored actors.

Discovery

JPCERT/CC confirmed active exploitation and issued advisory AT25-0024 on December 5, 2025. Array Networks had quietly released the fix in ArrayOS AG 9.4.5.9 on May 11, 2025 without public CVE disclosure, creating a seven-month gap during which exploitation proceeded against unaware organizations.

Exploitation Context

Active exploitation confirmed from at least August 2025 through December 2025. JPCERT/CC observed webshell deployments on compromised AG appliances across Japanese organizations. C2 traffic to 194.233.100[.]138 was identified. No formal threat actor attribution was made, but the pattern — Japanese targets, VPN appliance exploitation — is consistent with MirrorFace or similar Chinese APT TTPs.

Remediation

1. Upgrade to ArrayOS AG 9.4.5.9 immediately. The CISA deadline was December 29, 2025. Note that the fix was available since May 11, 2025 — many deployments may have gone months without patching.
2. Block semicolons in URL parameters as a temporary mitigation at your edge firewall or web application firewall if immediate patching is not feasible.
3. Hunt for webshells on the AG appliance filesystem — look for unexpected scripts or executables in web-served directories or admin CGI paths.
4. Block outbound connections to 194.233.100[.]138 — identified as the C2 server used in the exploitation campaign.
5. Rotate admin credentials — if the appliance was internet-accessible with the default or known credentials, assume they have been compromised.
6. Review ArrayOS audit logs for unexpected administrative commands or configuration changes from unknown source IPs.
7. Check for lateral movement indicators — a compromised VPN gateway provides access to the internal network; review internal systems for signs of unauthorized access originating from the AG appliance's network segment.