Skip to main content

Sonoma D12 CVE-2025-60960

HIGH
OS Command Injection (CWE-78)
2025-10-06 cve@mitre.org
8.2
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
9.8 CRITICAL

Network-reachable command injection with no listed auth (PR:N, verify), low complexity; full OS command execution justifies C:H/I:H/A:H unlike the input's understated C:L/I:H/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:36 vuln.today

DescriptionCVE.org

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.

AnalysisAI

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) lets remote attackers inject operating-system commands into the appliance, enabling arbitrary code execution, privilege escalation, disclosure of sensitive data, and disruption of the device's timing service. A third-party advisory (xdiv-sec) documents the issue, but no public exploit was identified at time of analysis and it is not listed in CISA KEV; EPSS is modest at 1.20% (64th percentile). Because this device supplies authoritative time to dependent infrastructure, compromise can cascade beyond the appliance itself.

Technical ContextAI

The Sonoma D12 is a hardware GPS-disciplined Network Time Server (NTP/time distribution) appliance from EndRun Technologies, typically managed through a network-facing administrative interface (web/CLI). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-supplied input reaches a shell or system() call without adequate sanitization, allowing attacker-controlled data to be interpreted as additional OS commands. On embedded appliances like this, management daemons commonly run with elevated or root privileges, so injected commands frequently execute in a high-privilege context. The single affected build is identified by CPE cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000:*:*:*:*:*:*:*.

RemediationAI

No vendor-released patch version was identified at time of analysis, so confirm availability directly with EndRun Technologies and consult the third-party advisory at https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12 and the vendor site (http://sonoma.com) for a fixed firmware build before deploying. As compensating controls, remove the device's management interface from any untrusted or general-purpose network and place it on an isolated, firewalled management VLAN reachable only from trusted admin hosts (trade-off: administrators must use a jump host, adding operational friction). Restrict or block access to the web/CLI administration ports via ACLs while leaving the NTP service (UDP/123) available to legitimate time clients, and require VPN access for remote management (trade-off: does not fix the underlying injection, only reduces exposure). Enable and monitor device logs for anomalous management activity, and rotate any credentials that may have been exposed if compromise is suspected.

CVE-2025-60957 CRITICAL
9.9 Oct 06

Authenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,

CVE-2025-60965 CRITICAL
9.1 Oct 06

Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000

CVE-2025-60964 CRITICAL
9.1 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le

CVE-2025-60963 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60962 HIGH
8.2 Oct 06

OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l

CVE-2025-60959 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60956 HIGH
8.0 Oct 06

Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0

CVE-2025-60967 HIGH
7.3 Oct 06

Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00

CVE-2025-60958 HIGH
7.3 Oct 06

Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60961 MEDIUM
6.1 Oct 06

Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a

CVE-2025-60969 MEDIUM
5.7 Oct 06

Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s

Share

CVE-2025-60960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy