Sonoma D12 CVE-2025-60960
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Network-reachable command injection with no listed auth (PR:N, verify), low complexity; full OS command execution justifies C:H/I:H/A:H unlike the input's understated C:L/I:H/A:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
AnalysisAI
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) lets remote attackers inject operating-system commands into the appliance, enabling arbitrary code execution, privilege escalation, disclosure of sensitive data, and disruption of the device's timing service. A third-party advisory (xdiv-sec) documents the issue, but no public exploit was identified at time of analysis and it is not listed in CISA KEV; EPSS is modest at 1.20% (64th percentile). Because this device supplies authoritative time to dependent infrastructure, compromise can cascade beyond the appliance itself.
Technical ContextAI
The Sonoma D12 is a hardware GPS-disciplined Network Time Server (NTP/time distribution) appliance from EndRun Technologies, typically managed through a network-facing administrative interface (web/CLI). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-supplied input reaches a shell or system() call without adequate sanitization, allowing attacker-controlled data to be interpreted as additional OS commands. On embedded appliances like this, management daemons commonly run with elevated or root privileges, so injected commands frequently execute in a high-privilege context. The single affected build is identified by CPE cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000:*:*:*:*:*:*:*.
RemediationAI
No vendor-released patch version was identified at time of analysis, so confirm availability directly with EndRun Technologies and consult the third-party advisory at https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12 and the vendor site (http://sonoma.com) for a fixed firmware build before deploying. As compensating controls, remove the device's management interface from any untrusted or general-purpose network and place it on an isolated, firewalled management VLAN reachable only from trusted admin hosts (trade-off: administrators must use a jump host, adding operational friction). Restrict or block access to the web/CLI administration ports via ACLs while leaving the NTP service (UDP/123) available to legitimate time clients, and require VPN access for remote management (trade-off: does not fix the underlying injection, only reduces exposure). Enable and monitor device logs for anomalous management activity, and rotate any credentials that may have been exposed if compromise is suspected.
More in Sonoma D12 Firmware
View allAuthenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,
Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a
Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today