Skip to main content

Sonoma D12 CVE-2025-60963

HIGH
OS Command Injection (CWE-78)
2025-10-06 cve@mitre.org
8.2
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
9.8 CRITICAL

Network-reachable, low-complexity OS command injection with no confirmed auth requirement yields full C/I/A on the appliance; PR:N retained per NVD but auth is unverified.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:39 vuln.today

DescriptionCVE.org

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.

AnalysisAI

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) lets remote attackers inject shell commands that the appliance executes, enabling arbitrary code execution, denial of service, privilege escalation, and disclosure of sensitive data. The NVD CVSS 3.1 base score is 8.2 (AV:N/AC:L/PR:N/UI:N) and a third-party technical advisory (xdiv-sec) has been published, but there is no public exploit identified at time of analysis and the flaw is not on CISA KEV. EPSS is modest at 1.20% (64th percentile), indicating no observed mass exploitation to date.

Technical ContextAI

The Sonoma D12 is a GPS-disciplined network time server (NTP/PTP timing appliance) used to distribute precise time to networked infrastructure, typically administered through an embedded management interface (web/CLI/SNMP). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command): attacker-controlled input is passed into a shell or system() call on the underlying embedded Linux/RTOS without sanitization, so metacharacters (;, |, `, $()) break out of the intended command and run arbitrary OS commands with the privileges of the handling process - commonly root on such appliances. The affected component is precisely identified by CPE cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000, i.e. the firmware image 6010-0071-000 Ver 4.00.

RemediationAI

No vendor-released patch or fixed firmware version is identified in the available data at time of analysis, so remediation must currently rely on compensating controls: place the Sonoma D12 management interfaces on an isolated, out-of-band management VLAN and restrict access with an ACL/firewall so only trusted administration hosts can reach the web/CLI/SNMP services (trade-off: legitimate remote admin must go through a jump host); disable any unused remote management protocols on the appliance to shrink the attack surface; and monitor the device for anomalous outbound connections or configuration changes. Contact EndRun Technologies (http://sonoma.com) for a fixed firmware build and consult the third-party advisory (https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12) for the specific vulnerable endpoint so that endpoint can be blocked at a reverse proxy if the interface must remain exposed. Because the device is a timing trust anchor, also audit downstream NTP/PTP clients for signs of time manipulation.

CVE-2025-60957 CRITICAL
9.9 Oct 06

Authenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,

CVE-2025-60965 CRITICAL
9.1 Oct 06

Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000

CVE-2025-60964 CRITICAL
9.1 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le

CVE-2025-60960 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le

CVE-2025-60962 HIGH
8.2 Oct 06

OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l

CVE-2025-60959 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60956 HIGH
8.0 Oct 06

Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0

CVE-2025-60967 HIGH
7.3 Oct 06

Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00

CVE-2025-60958 HIGH
7.3 Oct 06

Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60961 MEDIUM
6.1 Oct 06

Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a

CVE-2025-60969 MEDIUM
5.7 Oct 06

Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s

Share

CVE-2025-60963 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy