CISA KEV Alert: EOL D-Link and Array Networks Command Injection Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with two distinct but equally dangerous threats: a critical flaw in legacy D-Link routers and a command injection vulnerability in Array Networks appliances currently under attack in Japan.

The first vulnerability, tracked as CVE-2022-37055, is a critical Buffer Overflow vulnerability carrying a near-maximum CVSS score of 9.8. The flaw affects D-Link Go-RT-AC750 routers, specifically within the cgibin and hnap_main components.

However, there is no patch coming. The affected hardware revisions have reached their End of Life cycle. Consequently, “D-Link US recommends D-Link devices that have reached EOL/EOS, to be retired and replaced” immediately, as they are now defenseless against active exploitation.

The second vulnerability, CVE-2025-66644 (CVSS 7.2), involves an OS Command Injection flaw in Array Networks ArrayOS AG. This vulnerability is currently being weaponized in the wild, with Japan’s Computer Emergency and Response Team (CERT) warning that hackers have been exploiting the vulnerability since at least August in attacks targeting organizations in the country.

The attacks are precise and dangerous. Threat actors are using the flaw to drop persistent backdoors onto vulnerable systems. “In the incidents confirmed by JPCERT/CC, a command was executed attempting to place a PHP webshell file in the path /ca/aproxy/webapp/,” the bulletin reveals.

Intelligence reports have linked these attacks to the IP address 194.233.100[.]138, which is used for both the initial attack and subsequent communications.

The flaw impacts ArrayOS AG version 9.4.5.8 and earlier, specifically those with the ‘Desktop Direct’ remote access feature enabled.

Administrators are urged to upgrade to Array OS version 9.4.5.9 to close the security gap. If an immediate update is not possible, JPCERT recommends the following workarounds:

• If the Desktop Direct feature is not in use, disable all Desktop Direct services
• Use URL filtering to block access to URLs containing a semicolon,” which effectively disrupts the command injection syntax

The agency has set a strict deadline of December 29, 2025, for Federal Civilian Executive Branch (FCEB) agencies to secure their networks against these active threats.

Related Posts:

• CVE-2023-28461 (CVSS 9.8): Critical Array Networks Vulnerability Added to KEV Catalog
• Kaspersky Report Reveals Growing Threat from Old Exploits and OS Vulnerabilities in Q1 2025
• D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits