Sonoma D12 CVE-2025-60961
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable web interface with no attacker privileges needed; scope changes to browser context; user interaction required for reflected XSS delivery.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Cross Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information, and possibly other unspecified impacts.
AnalysisAI
Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a remote unauthenticated attacker to inject and execute malicious scripts in the context of an authenticated user's browser session against the device's web management interface. Exploitation requires the attacker to trick an administrator into interacting with a crafted URL or page, after which the scope crosses into the victim's browser context, enabling session theft or credential harvesting. No public exploit confirmed at time of analysis, and EPSS of 0.22% (13th percentile) signals low automated exploitation activity.
Technical ContextAI
The Sonoma D12 (CPE: cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000:*:*:*:*:*:*:*) is a GPS-disciplined hardware NTP appliance manufactured by EndRun Technologies, providing precise time synchronization for enterprise and critical infrastructure environments. It exposes a web-based management interface over HTTP/HTTPS, through which administrators configure timing parameters and monitor device status. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the firmware's web interface fails to sanitize attacker-controlled input before reflecting or rendering it in HTML responses. The CVSS Scope:Changed metric confirms the injected script executes in the browser's security context rather than remaining confined to the device's response, enabling cross-origin data access.
RemediationAI
No vendor-released patched firmware version has been independently confirmed from available data; the NVD references point to the researcher advisory and the vendor homepage without citing a specific fixed release. Operators should monitor http://sonoma.com and contact EndRun Technologies directly for a firmware update addressing CVE-2025-60961. As an immediate compensating control, restrict access to the Sonoma D12 web management interface to dedicated, trusted management VLANs or hosts using firewall ACLs, preventing unauthenticated external actors from delivering XSS payloads to administrators - this eliminates network-vector exposure entirely for isolated environments. Additionally, administrators should avoid clicking external links or opening emails while logged into the device's web interface, reducing UI:R exploitation success. If the management interface is not required, disabling HTTP/HTTPS administration access where the device supports out-of-band management further reduces the attack surface. Note: network isolation does not fix the underlying vulnerability and should be treated as a temporary measure until a patched firmware is available.
More in Sonoma D12 Firmware
View allAuthenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,
Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today