Skip to main content

Sonoma D12 CVE-2025-60965

CRITICAL
OS Command Injection (CWE-78)
2025-10-06 cve@mitre.org
9.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable management interface (AV:N) with low complexity, but requires administrative auth (PR:H); command injection escapes the app to the device OS (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:42 vuln.today

DescriptionCVE.org

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts.

AnalysisAI

Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) lets a privileged remote user inject arbitrary operating-system commands that run outside the vulnerable component, yielding full device takeover, denial of service, privilege escalation, and disclosure of sensitive timing/configuration data. Because Network Time Servers act as an authoritative time source for entire environments, compromise can cascade into time-manipulation attacks against downstream systems (logging, certificates, Kerberos). This is no public exploit identified at time of analysis, though a third-party advisory (xdiv-sec) documents the flaw; EPSS is modest at 1.63% (73rd percentile).

Technical ContextAI

The affected component is the management/administrative interface of an embedded GPS-disciplined Network Time Server appliance (CPE cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning attacker-supplied input is passed into a shell or system() call without adequate sanitization, so shell metacharacters (;, |, &&, backticks, $()) break out of the intended command context and execute on the underlying embedded Linux/RTOS. On appliance-class hardware the web/CLI process frequently runs as root or a high-privilege service account, which is consistent with the CVSS scope-change (S:C) rating: injected commands escape the application sandbox and act on the whole device operating system.

RemediationAI

No vendor-released patch identified at time of analysis; the provided references include the vendor site (http://sonoma.com) and a third-party advisory (https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12) but no fixed firmware version. As compensating controls, restrict management-plane access to the Sonoma D12 by placing it on an isolated out-of-band management VLAN and permitting the web/CLI admin interfaces only from a small allowlist of administrator hosts (trade-off: legitimate remote admins must use a jump host); enforce strong, unique administrator credentials and disable any default accounts to raise the PR:H barrier the exploit depends on; and monitor the appliance and its NTP responses for anomalies since time manipulation affects downstream logging and authentication. Contact EndRun Technologies to confirm a patched firmware release and apply it as the primary fix once available, then rotate admin credentials assuming prior compromise.

CVE-2025-60957 CRITICAL
9.9 Oct 06

Authenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,

CVE-2025-60964 CRITICAL
9.1 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le

CVE-2025-60963 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60960 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le

CVE-2025-60962 HIGH
8.2 Oct 06

OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l

CVE-2025-60959 HIGH
8.2 Oct 06

OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60956 HIGH
8.0 Oct 06

Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0

CVE-2025-60967 HIGH
7.3 Oct 06

Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00

CVE-2025-60958 HIGH
7.3 Oct 06

Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let

CVE-2025-60961 MEDIUM
6.1 Oct 06

Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a

CVE-2025-60969 MEDIUM
5.7 Oct 06

Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s

Share

CVE-2025-60965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy