Exploited At The Edge: ArrayOS AG VPN Flaw Puts Remote Access Gateways At Risk

A critical command injection flaw in Array Networks' ArrayOS AG VPN gateways has moved from a technical advisory to an active global threat. Since at least August 2025, attackers have been exploiting vulnerable devices to deploy webshells, create rogue administrator accounts and pivot deep into corporate networks, prompting emergency alerts from national computer emergency response teams and security vendors.

The vulnerability, now tracked as CVE-2025-66644, affects ArrayOS AG versions prior to 9.4.5.9. It allows carefully crafted input to be passed directly into operating system commands on the underlying gateway. For organisations that rely on these devices as a secure front door for remote workers, the flaw has turned that door into a potential open side entrance.

A critical flaw in a widely deployed VPN platform

Array Networks' AG Series appliances sit at the edge of many corporate networks, providing SSL VPN access, secure remote desktop connectivity and single sign on for internal applications. The affected firmware, ArrayOS AG, powers these secure access gateways in enterprises, service providers and government environments.

At the heart of the issue is a feature known as DesktopDirect, which is designed to let employees reach their office workstations from outside the network. Security researchers and national incident teams have found that input handled by this feature is not properly sanitised. In practical terms, that means an attacker can inject system commands into parameters processed by the gateway and have them executed by the underlying operating system.

The flaw is classified under CWE-78, an operating system command injection weakness. It has been rated high severity under CVSS version 3.1, reflecting the combination of network exposure, low attack complexity and potentially severe impact on confidentiality, integrity and availability.

From bug to breach: how attackers are abusing the gateway

Early incident reports from Japan show how the vulnerability is being weaponised in real attacks. Adversaries scan the internet for exposed AG Series gateways that are running older firmware. Once a suitable target is found, they send crafted HTTP requests that trigger the DesktopDirect component and insert malicious shell commands.

Those commands typically perform three types of action:

• Deploying persistent webshells under the web server directory, giving attackers a convenient way to execute further commands through ordinary HTTPS traffic.
• Creating new local users and administrators on the gateway, sometimes with innocuous looking names, so that access persists even if the original exploit is blocked.
• Connecting back to external command servers, which can be used to pull down additional tools or relay traffic deeper into the internal network.

In several cases, defenders found evidence that attackers had used the compromised gateway as a launchpad to probe internal servers, file shares and directory services. The VPN appliance, which is intended to enforce strong separation between the internet and corporate resources, effectively became a bridge for the intruder.

Japan at the centre, but the risk is global

The first detailed public alert came from the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), which warned that domestic organisations using AG Series gateways had been under sustained attack since August 2025. The agency reported repeated attempts to exploit the DesktopDirect function and noted a pattern of webshell deployment and unauthorised user creation on affected devices.

Subsequent open source intelligence and vendor telemetry indicate that the issue is not confined to Japan. Internet scan data and threat reports highlight vulnerable AG devices in Europe and other regions, including critical sectors such as manufacturing, logistics, professional services and education. Security organisations have begun to see probing and exploit traffic against these endpoints, though the scale of successful compromise outside Japan is still being assessed.

The concentration of attacks in Japan likely reflects both the installed base of AG gateways and local threat actor interest. However, any organisation that exposes an AG Series VPN or secure access gateway to the internet and has not applied the May 2025 firmware update is potentially at risk.

A patch released quietly, then months of silent exploitation

One of the most troubling aspects of the ArrayOS AG case is the timeline. Array Networks issued a patched release, ArrayOS AG 9.4.5.9, in May 2025. That update closed the command injection hole in DesktopDirect. At the time, however, details of the vulnerability and its security impact were limited. Many customers appear to have treated the release as a routine maintenance update rather than a critical security fix.

Over the following months, adversaries began systematically exploiting unpatched gateways. By August 2025, JPCERT/CC was observing multiple intrusions against Japanese organisations where the common factor was an outdated AG Series gateway. The pattern only became clear as incident responders compared notes across different victims and traced activity back to a shared technique.

In early December 2025, the vulnerability was formally catalogued as CVE-2025-66644, explicitly describing it as an operating system command injection issue in ArrayOS AG prior to version 9.4.5.9, with known exploitation in the wild between August and December 2025. The assignment of a CVE and the publication of detailed advisories have helped to raise awareness, but for many organisations the wake up call came only after attackers had already had several months to work.

Technical profile of CVE-2025-66644

Although full exploit code has not been widely published, public analyses and incident reports provide enough detail to outline how CVE-2025-66644 behaves and why it is dangerous.

The vulnerability arises when user supplied data is passed into shell commands on the underlying operating system without proper neutralisation of special characters. In practice, this often involves a parameter that is concatenated into a command string or used as an argument to a script invoked by the gateway software.

According to the published CVSS v3.1 vector, the flaw is:

• Accessible over the network, meaning no local access is required.
• Low complexity, with no need for unusual conditions once the target is exposed.
• Associated with high impact on confidentiality, integrity and availability, since successful exploitation grants the attacker command level access on the gateway.

There is some variation in how different advisories describe the required privileges. Some technical analyses suggest that an attacker needs valid credentials or access to a particular feature, while multiple incident reports indicate that in real world deployments the vulnerable path can be triggered without full VPN authentication, particularly when DesktopDirect is exposed to the internet. In either case, once the vulnerability is reached, the path from exploitation to full device compromise is short.

From edge device to enterprise compromise

A compromised VPN or secure access gateway is not just another server on the network. It is a choke point through which legitimate users and sensitive traffic flow every day. When attackers gain control of that device, they inherit its strategic position.

Typical post exploitation activity in the ArrayOS AG cases includes:

• Harvesting configuration and credentials from the gateway, including stored directory service connections, authentication tokens and neighbouring system details.
• Proxying internal attacks through the compromised device, so that scans and exploitation attempts appear to originate from a trusted internal asset rather than an external IP address.
• Maintaining long term persistence by combining webshells, new accounts and scheduled tasks that survive reboots and routine maintenance.

In some investigations, incident responders have found traces of attackers using the AG gateway as a staging area to move laterally into file servers, application clusters and identity systems. Because VPN appliances often sit in sensitive network zones with broad connectivity, they can offer routes around segmentation that would otherwise slow an attacker down.

What organisations should do now

The immediate priority for any organisation running ArrayOS AG gateways is to determine whether they are affected and, if so, to take swift remedial action. That involves more than just applying a patch.

1. Identify and patch vulnerable devices

Administrators should inventory all AG Series gateways and verify the current firmware version. Any device running a version earlier than ArrayOS AG 9.4.5.9 should be treated as potentially vulnerable. Where business constraints allow, upgrades should be applied as an emergency change rather than deferred to a routine maintenance window.

For environments where immediate patching is impossible, compensating controls such as restricting external access to DesktopDirect, placing the gateway behind a VPN or zero trust access layer, or limiting the source IP ranges allowed to connect may reduce exposure, though they are not a replacement for a full fix.

2. Hunt for signs of compromise back to August 2025

Given that exploitation has been observed since August 2025, organisations should not assume they are safe simply because there are no current alerts. Security teams should review logs on AG gateways and adjacent systems for:

• Unexpected requests to DesktopDirect related URLs or parameters.
• Creation of new local users or administrative accounts on the gateway.
• Unusual outbound connections from the gateway to unfamiliar IP addresses.
• Suspicious files in web server directories that could act as webshells.

Where logging on the gateway is limited, defenders may need to lean on network telemetry, endpoint detection on internal servers and firewall logs to reconstruct potential attacker activity.

3. Rebuild and re baseline where necessary

If there are credible signs that an AG gateway has been compromised, best practice is to treat the device as untrusted. That may mean performing a clean rebuild from a known good image, reapplying configuration from secure backups and rotating any credentials, keys or tokens that were stored on or passed through the gateway.

In highly sensitive environments, organisations may also consider additional measures such as increased monitoring of systems that communicated heavily with the compromised appliance during the suspected intrusion window.

4. Strengthen VPN and remote access governance

Beyond the urgent response, the ArrayOS AG incident highlights the need for robust governance around VPN and secure access infrastructure. Concrete steps include:

• Ensuring that security bulletins from vendors are triaged promptly and that critical patches are treated differently from routine feature updates.
• Limiting the exposure of VPN and remote desktop features to the absolute minimum required for business operations.
• Integrating edge devices more fully into security monitoring, including forwarding logs to central systems and applying behavioural analytics.

These measures will not eliminate the risk of future vulnerabilities, but they can reduce the window of opportunity for attackers and make exploitation more detectable.

Lessons for a perimeter that no longer looks like a perimeter

The ArrayOS AG command injection flaw is a reminder that in a world of hybrid work and cloud migration, the perimeter has not disappeared so much as moved. Remote access gateways, VPN appliances and secure access platforms now carry a disproportionate share of trust and exposure.

When those systems contain latent flaws, the consequences can be far reaching. Attackers no longer need to phish individual users or guess passwords if they can compromise the central point where all remote sessions converge. In that sense, the exploitation of CVE-2025-66644 is part of a broader pattern that has seen multiple vendors of VPN and secure access products face serious vulnerabilities over recent years.

For security leaders, the lesson is clear. Edge infrastructure deserves the same depth of scrutiny and investment as identity providers, core networking gear and cloud control planes. That means rigorous patch management, deep visibility, and a mindset that assumes that even trusted gateways can fail in unexpected ways.

For organisations using ArrayOS AG today, the priority is immediate response: patch, investigate, and if necessary rebuild. For the wider community, this incident is another sign that the line between perimeter and core has blurred, and that securing the path into the network is just as important as securing what lies inside.