External risk intelligence

EndRun Technologies Sonoma D12 OS Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-60964

The device is a network time server. While these are typically deployed within internal network infrastructure to provide time synchronization to local devices, they are sometimes configured with management interfaces that could be exposed to the internet, though public exposure is not the standard design for the primary function of a time server.

OS Command Injection

Endruntechnologies Sonoma D12 Firmware

6010-0071-000

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in EndRun Technologies Sonoma D12 Network Time Server firmware, a device used for synchronizing time across networks. This issue could allow unauthorized users to execute malicious code, disrupt service, gain elevated access, or steal sensitive information. The main concern is to confirm if this specific technology is present and exposed within our environment.

  • Allows unauthorized code execution and data access.
  • Critical for network infrastructure if affected.
  • Verify relevance and exposure within our systems.

Attack Path

How an attacker could exploit the issue

An attacker with administrative access to the EndRun Technologies Sonoma D12 Network Time Server could send specially crafted commands to the device. Because of how the device processes these commands, it could be tricked into running arbitrary code. This could allow an attacker to take control of the device, steal information, or disrupt its service.

  • Requires administrative access.
  • Entry point is the network interface.
  • Risk of code execution and data theft.

Live Threat

Current exploitation, exposure, and threat context

An OS command injection vulnerability could allow an attacker with administrative privileges to execute arbitrary code, potentially leading to denial of service, privilege escalation, or unauthorized access to sensitive information on the network time server.

  • System commands could be executed.
  • Via specially crafted network requests.
  • Leading to unauthorized system control.

Operational Fix

Recommended remediation, mitigation, and detection steps

Identifying the scope of the OS command injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server firmware requires collaboration between infrastructure and security teams. The first practical step is to locate all instances of this device within your environment, determine their network exposure and business criticality, and identify the accountable owner for remediation planning.

  • Identify and confirm accountable owner.
  • Verify network reachability and criticality.
  • Plan remediation based on exposure.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the EndRun Technologies Sonoma D12?

The Sonoma D12 is a network time server. Organizations use these devices to provide highly accurate and synchronized time signals across their internal networks, which is critical for logging, security protocols, and infrastructure coordination. The device functions by processing specialized hardware inputs, like GPS, and distributing that time data to connected systems.

What is the OS Command Injection weakness in CVE-2025-60964?

This is a security flaw classified as CWE-78, where an application improperly constructs system commands using user-supplied input. In this CVE, the device fails to safely filter incoming data. Instead of rejecting malicious input, the system inadvertently treats that data as executable commands, allowing unauthorized code to run with the privileges of the underlying operating system.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending specifically crafted network requests to the device. Crucially, the vulnerability requires the attacker to already possess administrative privileges to successfully submit the malicious commands. It is not triggered by standard, unauthenticated network traffic or routine time-synchronization requests.

Is my network at risk from this CVE?

Halo Surface Signal notes that while these servers are intended for internal infrastructure, some management interfaces are improperly exposed to the internet. If your device is reachable from outside your local network, the risk is higher. You should assess whether your Sonoma D12 interfaces are accessible beyond your internal network boundary.

What should I do if I use this device?

Begin by inventorying your environment to locate all Sonoma D12 units and confirm which teams manage them. Prioritize identifying which devices have network-accessible management interfaces. Once you have identified the assets and their owners, coordinate with your infrastructure team to review vendor guidance and plan for authorized updates.

References