Sonoma D12 CVE-2025-60963
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Network-reachable, low-complexity OS command injection with no confirmed auth requirement yields full C/I/A on the appliance; PR:N retained per NVD but auth is unverified.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
AnalysisAI
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) lets remote attackers inject shell commands that the appliance executes, enabling arbitrary code execution, denial of service, privilege escalation, and disclosure of sensitive data. The NVD CVSS 3.1 base score is 8.2 (AV:N/AC:L/PR:N/UI:N) and a third-party technical advisory (xdiv-sec) has been published, but there is no public exploit identified at time of analysis and the flaw is not on CISA KEV. EPSS is modest at 1.20% (64th percentile), indicating no observed mass exploitation to date.
Technical ContextAI
The Sonoma D12 is a GPS-disciplined network time server (NTP/PTP timing appliance) used to distribute precise time to networked infrastructure, typically administered through an embedded management interface (web/CLI/SNMP). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command): attacker-controlled input is passed into a shell or system() call on the underlying embedded Linux/RTOS without sanitization, so metacharacters (;, |, `, $()) break out of the intended command and run arbitrary OS commands with the privileges of the handling process - commonly root on such appliances. The affected component is precisely identified by CPE cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000, i.e. the firmware image 6010-0071-000 Ver 4.00.
RemediationAI
No vendor-released patch or fixed firmware version is identified in the available data at time of analysis, so remediation must currently rely on compensating controls: place the Sonoma D12 management interfaces on an isolated, out-of-band management VLAN and restrict access with an ACL/firewall so only trusted administration hosts can reach the web/CLI/SNMP services (trade-off: legitimate remote admin must go through a jump host); disable any unused remote management protocols on the appliance to shrink the attack surface; and monitor the device for anomalous outbound connections or configuration changes. Contact EndRun Technologies (http://sonoma.com) for a fixed firmware build and consult the third-party advisory (https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12) for the specific vulnerable endpoint so that endpoint can be blocked at a reverse proxy if the interface must remain exposed. Because the device is a timing trust anchor, also audit downstream NTP/PTP clients for signs of time manipulation.
More in Sonoma D12 Firmware
View allAuthenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,
Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a
Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today