Sonoma D12 CVE-2025-60969
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Network-reachable web interface with low-privilege auth required; path traversal is direct read with no write or availability impact, and UI:R is not typical for server-side traversal.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Directory Traversal vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0076-000 Ver 4.00 allows attackers to gain sensitive information.
AnalysisAI
Path traversal in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000 Ver 4.00) exposes sensitive files to authenticated network attackers. The flaw resides in the device's web interface, where insufficiently validated path input allows an attacker to escape the intended directory root and read arbitrary files from the underlying filesystem. No public exploit code or active exploitation has been confirmed at time of analysis, but a third-party security researcher advisory exists at xdiv-sec.github.io detailing the issue.
Technical ContextAI
CWE-22 (Path Traversal) describes failure to neutralize special path elements ('../', '%2e%2e/', etc.) before using attacker-controlled input to construct file paths. The affected product is a purpose-built GPS-disciplined NTP appliance manufactured by EndRun Technologies; the specific firmware identified by CPE cpe:2.3:o:endruntechnologies:sonoma_d12_firmware:6010-0076-000 is version 4.00. Such appliances typically expose an embedded web management interface over HTTP/HTTPS, and the traversal likely occurs within a file-serving or log-retrieval function of that interface. Because this is an embedded firmware target, the underlying OS and file layout are fixed, making sensitive file paths (credential stores, configuration files, private keys) predictable.
RemediationAI
No vendor-released patch has been identified at time of analysis; affected firmware version is 6010-0076-000 Ver 4.00. Operators should contact EndRun Technologies directly to request a patched firmware release. As an immediate compensating control, restrict network access to the Sonoma D12 web management interface using firewall rules or ACLs so that only trusted management hosts can reach it - this directly addresses the AV:N vector and eliminates remote exploitation even without a patch. Additionally, disable the web interface entirely if NTP-only operation is sufficient, since the core time-serving function (NTP/PTP) does not require the HTTP management plane. Audit web interface user accounts and remove any unnecessary low-privilege accounts to raise the authentication barrier. Note that restricting web access may impair remote monitoring and configuration capabilities.
More in Sonoma D12 Firmware
View allAuthenticated command injection in EndRun Technologies Sonoma D12 GPS Network Time Server firmware (build 6010-0071-000,
Authenticated OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, Ver 4.00) le
OS command injection in EndRun Technologies' Sonoma D12 GPS Network Time Server (firmware 6010-0071-000, version 4.00) l
OS command injection in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site request forgery in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.0
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0076-000, version 4.00
Cross-site scripting in the EndRun Technologies Sonoma D12 GPS Network Time Server (firmware 6010-0071-000 Ver 4.00) let
Cross-site scripting in EndRun Technologies Sonoma D12 GPS Network Time Server firmware 6010-0071-000 Ver 4.00 allows a
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today