Executive Summary
In December 2025, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog to include two actively exploited vulnerabilities: CVE-2022-37055, a buffer overflow in D-Link routers, and CVE-2025-66644, an OS command injection flaw impacting Array Networks ArrayOS AG. These vulnerabilities provide attack vectors for cybercriminals to gain unauthorized access, conduct lateral movement, or exfiltrate sensitive data within federal and private sector networks. The directive mandates that all Federal Civilian Executive Branch (FCEB) agencies address these threats promptly to reduce risk exposure and protect operational integrity.
This update underscores the persistent threat posed by unpatched network infrastructure vulnerabilities, which remain prime targets for attackers. Timely remediation of KEV-listed vulnerabilities is increasingly critical for all organizations amid a rising trend of targeted attacks against widely deployed network devices.
Why This Matters Now
The addition of these vulnerabilities to CISA's KEV Catalog highlights the increasing urgency for organizations to patch known infrastructure weaknesses before attackers exploit them. With evidence of active exploitation and federal compliance deadlines, failing to remediate can result in regulatory scrutiny, business disruption, or data loss.
Attack Path Analysis
Attackers gained initial access by exploiting CVE-2022-37055 and CVE-2025-66644 in unpatched edge network infrastructure. With foothold on the device, they escalated privileges to execute OS-level commands, likely enabling broader access or attacker tools. From there, they moved laterally to adjacent cloud or hybrid workloads via east-west traffic paths and unsegmented networks. The attackers established command & control through outbound connections, possibly leveraging encrypted or covert channels. They proceeded to exfiltrate data via unfiltered egress routes and, finally, sought to disrupt operations or deploy ransomware for maximum impact.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited unpatched buffer overflow and command injection vulnerabilities in exposed network devices to gain initial access.
Related CVEs
CVE-2022-37055
CVSS 9.8A buffer overflow vulnerability in D-Link Go-RT-AC750 routers allows remote attackers to execute arbitrary code via the cgibin and hnap_main components.
Affected Products:
D-Link Go-RT-AC750 – GORTAC750_revA_v101b03, GO-RT-AC750_revB_FWv200b02
Exploit Status:
exploited in the wildCVE-2025-66644
CVSS 9.8A command injection vulnerability in Array Networks ArrayOS AG before version 9.4.5.9 allows remote attackers to execute arbitrary commands on the underlying operating system.
Affected Products:
Array Networks ArrayOS AG – < 9.4.5.9
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Exploitation of Remote Services
Valid Accounts
Impair Defenses
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components and Software
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05(a)
DORA – ICT Risk Management
Control ID: Article 10(2)
CISA ZTMM 2.0 – Timely Remediation of Vulnerabilities
Control ID: Asset Management: Patch and Vulnerability Management
NIS2 Directive – Asset and Vulnerability Management
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical infrastructure vulnerability exposure through D-Link routers and Array Networks devices requiring immediate KEV catalog remediation per BOD 22-01 compliance mandates.
Telecommunications
Network infrastructure at severe risk from buffer overflow and command injection vulnerabilities affecting routing equipment and network management systems requiring encrypted traffic controls.
Financial Services
Banking networks vulnerable to lateral movement attacks through compromised network devices, necessitating zero trust segmentation and enhanced east-west traffic security monitoring capabilities.
Health Care / Life Sciences
Healthcare networks face HIPAA compliance risks from known exploited vulnerabilities in network infrastructure requiring immediate threat detection and anomaly response implementation.
Sources
- CISA Adds Two Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalogVerified
- D-Link Security Advisory SAP10308https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308Verified
- Hackers are exploiting ArrayOS AG VPN flaw to plant webshellshttps://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework controls like zero trust segmentation, east-west traffic isolation, egress security, and real-time threat detection would have substantially constrained attacker movement, visibility, and ability to exploit or monetize these network-layer vulnerabilities.
Control: Cloud Firewall (ACF)
Mitigation: Blocked inbound exploit attempts through strict network access control.
Control: Threat Detection & Anomaly Response
Mitigation: Detected anomalous privilege escalation and alerted on suspicious activity.
Control: Zero Trust Segmentation
Mitigation: Stopped unauthorized east-west movement between network segments.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked C2 communication attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked or alerted on suspicious outbound data transfers.
Provided rapid incident visibility and centralized response to contain impact.
Impact at a Glance
Affected Business Functions
- Network Operations
- Remote Access Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive configuration data and user credentials due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Strictly enforce vulnerability management on all network devices, prioritizing those listed in the CISA KEV catalog.
- • Deploy zero trust segmentation to isolate workloads and restrict lateral movement opportunities.
- • Implement egress controls and FQDN filtering to prevent unauthorized outbound data transfer and C2 channels.
- • Continuously monitor for anomalous privilege escalations and east-west traffic patterns using advanced threat detection tools.
- • Centralize multicloud visibility and use real-time incident response tools to rapidly contain and remediate threats.
