Sonoma D12 CVE-2025-60956
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CSRF attacker needs no own credentials (PR:N) but relies on a logged-in victim clicking (UI:R); network-reachable web UI with low complexity and full C/I/A impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Cross Site Request Forgery (CSRF) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
AnalysisAI
Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) lets a remote attacker forge state-changing web requests that a logged-in operator's browser executes, chaining into arbitrary code execution, denial of service, privilege escalation, and disclosure of sensitive data on the appliance. Any organization relying on this GPS-disciplined NTP appliance for time synchronization is affected. No public exploit identified at time of analysis, though an independent research advisory (xdiv-sec) documenting the flaw has been published.
Technical ContextAI
The Sonoma D12 is a hardware GPS-disciplined network time server that serves NTP/PTP time to infrastructure and is administered through an embedded web management interface. The root cause is CWE-352 (Cross-Site Request Forgery): the web UI does not validate that state-changing requests originate from a legitimate, intentionally-submitted form - it lacks anti-CSRF tokens or equivalent origin verification. As a result, requests are trusted solely on the basis of the victim's existing authenticated session cookie. The single CPE, cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000, confirms the defect is in the firmware's management application rather than in an underlying protocol like NTP itself. Because administrative functions on such appliances can reconfigure the device or run privileged operations, a forged request can be leveraged for the broad impacts described (code execution, DoS, privilege escalation, information disclosure).
RemediationAI
No vendor-released patch identified at time of analysis; the references point to the vendor site (http://sonoma.com) and an independent advisory (https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12), so contact EndRun Technologies for updated firmware before deploying any fix. As compensating controls, restrict the Sonoma D12 management interface to a dedicated, isolated management VLAN reachable only from trusted admin workstations (trade-off: administrators must use a jump host); prevent operators from browsing the general web or opening untrusted links while an admin session to the device is active, and terminate management sessions immediately after use to shrink the CSRF window; and place the interface behind a reverse proxy or WAF that enforces strict Origin/Referer checks on state-changing requests (trade-off: may break legitimate scripted management and requires per-endpoint tuning). Because the exploit needs an authenticated operator's browser, these session- and network-isolation controls are the highest-value mitigations until firmware is patched.
More in Sonoma D12 Firmware
View allAuthenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,
Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a
Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today