Sonoma D12 CVE-2025-60959
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
OS command injection normally yields shell-level control, so I raise C/I/A to High; AV:N/AC:L/PR:N retained from the published vector as no authentication is documented, though management-interface auth is unconfirmed.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information.
AnalysisAI
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) lets remote attackers inject operating-system commands and extract sensitive information from the appliance. The flaw is reachable over the network without authentication per the published CVSS vector, and a third-party security advisory (xdiv-sec) documents the issue. No public exploit identified at time of analysis, and EPSS probability is low (1.00%, 59th percentile).
Technical ContextAI
The Sonoma D12 is a hardware GPS-disciplined network time server appliance used to provide authoritative NTP/timing to network infrastructure. The vulnerability is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-controllable input is passed into a shell or system() call on the embedded firmware without adequate sanitization, allowing attacker-supplied data to break out into arbitrary OS commands. The single affected component per NVD CPE is cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000, i.e. the device firmware image itself; the injection point is almost certainly the device's web or network management interface, though the exact parameter is not enumerated in the NVD record.
RemediationAI
No vendor-released patch version is identified at time of analysis; the NVD references point only to the vendor site (http://sonoma.com) and a third-party research advisory (https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12), not to a tagged fixed firmware build - contact EndRun Technologies for a patched firmware image for the 6010-0071-000 line. As compensating controls: place the Sonoma D12 management interface on an isolated, out-of-band management VLAN and restrict inbound access to the web/management ports to a small set of trusted administrator hosts via ACL or firewall (trade-off: administrators must reach it through a jump host); disable any unused remote management services (HTTP/Telnet) in favor of authenticated, encrypted access only; and monitor the appliance and upstream firewall logs for anomalous requests to management endpoints. These controls reduce network reachability, which directly neutralizes the AV:N exposure, but do not fix the underlying injection.
More in Sonoma D12 Firmware
View allAuthenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,
Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l
Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a
Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today