Skip to main content

Sonoma D12 CVE-2025-60956

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-10-06 cve@mitre.org
8.0
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

CSRF attacker needs no own credentials (PR:N) but relies on a logged-in victim clicking (UI:R); network-reachable web UI with low complexity and full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:31 vuln.today

DescriptionCVE.org

Cross Site Request Forgery (CSRF) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.

AnalysisAI

Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) lets a remote attacker forge state-changing web requests that a logged-in operator's browser executes, chaining into arbitrary code execution, denial of service, privilege escalation, and disclosure of sensitive data on the appliance. Any organization relying on this GPS-disciplined NTP appliance for time synchronization is affected. No public exploit identified at time of analysis, though an independent research advisory (xdiv-sec) documenting the flaw has been published.

Technical ContextAI

The Sonoma D12 is a hardware GPS-disciplined network time server that serves NTP/PTP time to infrastructure and is administered through an embedded web management interface. The root cause is CWE-352 (Cross-Site Request Forgery): the web UI does not validate that state-changing requests originate from a legitimate, intentionally-submitted form - it lacks anti-CSRF tokens or equivalent origin verification. As a result, requests are trusted solely on the basis of the victim's existing authenticated session cookie. The single CPE, cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000, confirms the defect is in the firmware's management application rather than in an underlying protocol like NTP itself. Because administrative functions on such appliances can reconfigure the device or run privileged operations, a forged request can be leveraged for the broad impacts described (code execution, DoS, privilege escalation, information disclosure).

RemediationAI

No vendor-released patch identified at time of analysis; the references point to the vendor site (http://sonoma.com) and an independent advisory (https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12), so contact EndRun Technologies for updated firmware before deploying any fix. As compensating controls, restrict the Sonoma D12 management interface to a dedicated, isolated management VLAN reachable only from trusted admin workstations (trade-off: administrators must use a jump host); prevent operators from browsing the general web or opening untrusted links while an admin session to the device is active, and terminate management sessions immediately after use to shrink the CSRF window; and place the interface behind a reverse proxy or WAF that enforces strict Origin/Referer checks on state-changing requests (trade-off: may break legitimate scripted management and requires per-endpoint tuning). Because the exploit needs an authenticated operator's browser, these session- and network-isolation controls are the highest-value mitigations until firmware is patched.

CVE-2025-60957 CRITICAL
9.9 Oct 06

Authenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,

CVE-2025-60965 CRITICAL
9.1 Oct 06

Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000

CVE-2025-60964 CRITICAL
9.1 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le

CVE-2025-60963 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60960 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le

CVE-2025-60962 HIGH
8.2 Oct 06

OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l

CVE-2025-60959 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60967 HIGH
7.3 Oct 06

Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00

CVE-2025-60958 HIGH
7.3 Oct 06

Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60961 MEDIUM
6.1 Oct 06

Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a

CVE-2025-60969 MEDIUM
5.7 Oct 06

Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s

Share

CVE-2025-60956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy