Sonoma D12 CVE-2025-60965
CRITICALSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable management interface (AV:N) with low complexity, but requires administrative auth (PR:H); command injection escapes the app to the device OS (S:C) with full CIA impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts.
AnalysisAI
Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) lets a privileged remote user inject arbitrary operating-system commands that run outside the vulnerable component, yielding full device takeover, denial of service, privilege escalation, and disclosure of sensitive timing/configuration data. Because Network Time Servers act as an authoritative time source for entire environments, compromise can cascade into time-manipulation attacks against downstream systems (logging, certificates, Kerberos). This is no public exploit identified at time of analysis, though a third-party advisory (xdiv-sec) documents the flaw; EPSS is modest at 1.63% (73rd percentile).
Technical ContextAI
The affected component is the management/administrative interface of an embedded GPS-disciplined Network Time Server appliance (CPE cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0071-000). The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning attacker-supplied input is passed into a shell or system() call without adequate sanitization, so shell metacharacters (;, |, &&, backticks, $()) break out of the intended command context and execute on the underlying embedded Linux/RTOS. On appliance-class hardware the web/CLI process frequently runs as root or a high-privilege service account, which is consistent with the CVSS scope-change (S:C) rating: injected commands escape the application sandbox and act on the whole device operating system.
RemediationAI
No vendor-released patch identified at time of analysis; the provided references include the vendor site (http://sonoma.com) and a third-party advisory (https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12) but no fixed firmware version. As compensating controls, restrict management-plane access to the Sonoma D12 by placing it on an isolated out-of-band management VLAN and permitting the web/CLI admin interfaces only from a small allowlist of administrator hosts (trade-off: legitimate remote admins must use a jump host); enforce strong, unique administrator credentials and disable any default accounts to raise the PR:H barrier the exploit depends on; and monitor the appliance and its NTP responses for anomalies since time manipulation affects downstream logging and authentication. Contact EndRun Technologies to confirm a patched firmware release and apply it as the primary fix once available, then rotate admin credentials assuming prior compromise.
More in Sonoma D12 Firmware
View allAuthenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a
Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes s
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today