CISA has recently added critical vulnerabilities from Array Networks ArrayOS AG VPN devices and D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, signaling active real-world exploitation. Federal agencies must remediate these by deadlines under BOD 22-01, with broader organizations urged to prioritize patching in tools like Qualys.
Array Networks CVE-2025-66644 Details
This command injection flaw affects ArrayOS AG versions before 9.4.5.9, specifically in the DesktopDirect remote access feature, allowing attackers to execute arbitrary commands without authentication bypass in some cases. Exploitation began in August 2025, primarily targeting Japanese organizations, with attackers from IP 194.233.100.138 deploying PHP webshells in paths like /webapp/ and creating rogue user accounts. Array Networks released version 9.4.5.9 in May 2025; if patching is delayed, disable DesktopDirect or filter URLs containing semicolons.
CVSS score: 7.2 (High) under CVSS v3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, enabling high-impact breaches like network infiltration.
D-Link CVE-2022-37055 Breakdown
The buffer overflow in end-of-life D-Link Go-RT-AC750 routers permits remote code execution, memory corruption, data interception, and lateral movement. Added to KEV due to confirmed exploitation, these devices lack official patches, so retirement is recommended alongside mitigations like firmware checks and strong credentials.
Actionable Recommendations
- Scan and Patch: Query for CVE-2025-66644 and CVE-2022-37055; apply ArrayOS 9.4.5.9 immediately and isolate D-Link hardware.
- Incident Response: Preserve logs pre-reboot, hunt for webshells/PHP files in webapp directories, and monitor DesktopDirect traffic.
- Proactive Steps: Integrate KEV feeds into vulnerability management; disable unused features like DesktopDirect to shrink attack surface.
These additions underscore persistent risks in VPN appliances and legacy routers—patch now to evade threat actors.
