External risk intelligence

EndRun Sonoma D12 OS Command Injection

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2025-60957

The affected product is a network time server, which is typically deployed as a standalone appliance or gateway service on a network to provide time synchronization, often positioned at the network edge or in a centralized role where it is reachable by systems that may have exposure to external networks.

OS Command Injection

Endruntechnologies Sonoma D12 Firmware

6010-0071-000

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in EndRun Technologies Sonoma D12 Network Time Server firmware that could allow an attacker with limited access to execute arbitrary code, potentially leading to a denial of service, privilege escalation, or unauthorized access to sensitive information.

  • Allows code execution and system control.
  • Affects critical network time synchronization.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can target the Sonoma D12 Network Time Server through its network interface, exploiting an OS command injection vulnerability. This allows them to execute arbitrary commands, potentially leading to unauthorized code execution, elevated privileges, or the exposure of sensitive information on the device.

  • Network access required.
  • Vulnerable web interface.
  • Code execution and privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary code on the Sonoma D12 Network Time Server, potentially impacting its availability and allowing unauthorized access to sensitive information. This could occur when the device is accessible over the network, and an attacker leverages the command injection flaw.

  • Network time synchronization service.
  • Arbitrary code execution via network.
  • Denial of service and data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for network infrastructure and device management should prioritize addressing this command injection vulnerability in the EndRun Technologies Sonoma D12. The first critical step is to locate all instances of the affected firmware, determine their network exposure and business criticality, identify the accountable system owners, and then develop a remediation plan based on the identified risks.

  • Network and infrastructure teams own remediation.
  • Verify network exposure and business criticality.
  • Plan targeted updates or vendor engagement.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the EndRun Sonoma D12?

The EndRun Sonoma D12 is a network time server, an appliance that provides precise time synchronization across a network using GPS signals. It is typically deployed as a standalone unit to ensure that critical infrastructure, servers, and devices maintain accurate, synchronized clocks, which is essential for logging, security protocols, and operational consistency.

What does OS command injection mean for CVE-2025-60957?

Classified as CWE-78, this weakness allows an attacker to insert unauthorized operating system commands into the device's software. Because the system fails to properly filter these inputs, it inadvertently executes them as if they were legitimate system instructions. This grants an attacker the ability to manipulate the server, potentially seizing control or accessing data.

How is this vulnerability triggered?

An attacker triggers this flaw by sending specifically crafted inputs through the network interface to the vulnerable web management component. The vulnerability requires network-level access to reach the interface; it is not triggered by localized physical interactions or passive background time synchronization traffic that does not engage the management web interface.

Is my Sonoma D12 at risk?

Halo Surface Signal indicates that because these units often act as gateways at the network edge to provide central time synchronization, they are frequently reachable by systems with external network exposure. If your device is accessible via a network path that touches external environments, it is at higher risk of being reached by unauthorized actors.

What should I do to secure my device?

Begin by auditing your infrastructure to map every instance of the Sonoma D12 using the affected firmware version. Assess how each unit is positioned on your network to confirm if it is reachable from untrusted segments. Identify the responsible system owners and prepare to coordinate with EndRun Technologies to obtain and deploy the necessary firmware updates once available.

References