External risk intelligence

EndRun Sonoma D12 OS Command Injection

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-60965

The affected product is a network time server, which is typically deployed as a standalone appliance at the edge of a network or within a datacenter infrastructure to provide authoritative time synchronization, often resulting in exposure to network segments that are reachable from external sources.

OS Command Injection

Endruntechnologies Sonoma D12 Firmware

6010-0071-000

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects EndRun Technologies' Sonoma D12 Network Time Server, specifically its firmware, allowing potential attackers to execute arbitrary code and gain elevated privileges if they can access the device. The primary concern is confirming if this specific time server technology is in use within our environment and understanding any potential exposure.

  • Allows unauthorized code execution.
  • Affects critical network time synchronization devices.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with privileged access to the EndRun Technologies Sonoma D12 Network Time Server could send specially crafted commands to the device. This could allow them to execute arbitrary code, leading to system compromise, denial of service, or unauthorized access to sensitive information.

  • Requires authenticated access.
  • Achieved through OS command injection.
  • Risk of code execution and privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated attacker to execute arbitrary code on the affected network time server, potentially leading to unauthorized access, data exposure, or service disruption. Supported conditions for impact include network accessibility and administrative privileges.

  • Asset at risk: Network time synchronization service.
  • How exposure could happen: Executing commands via the vulnerability.
  • Realistic consequence: Service disruption or unauthorized access.

Operational Fix

Recommended remediation, mitigation, and detection steps

System owners and infrastructure teams are likely responsible for addressing this OS command injection vulnerability in the EndRun Technologies Sonoma D12 Network Time Server firmware, as it is a critical network appliance. The first step should be to identify all deployed instances, assess their network exposure and business criticality, and locate the accountable system owner. Subsequently, a remediation plan should be developed based on the identified risks, potentially involving vendor coordination for firmware updates or implementing temporary mitigating controls if immediate patching is not feasible.

  • Identify affected network time servers.
  • Verify network exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the EndRun Technologies Sonoma D12?

The Sonoma D12 is a network time server, a specialized hardware appliance used in datacenters and network infrastructure to provide precise, authoritative time synchronization via GPS. These devices ensure that connected servers and network equipment operate with synchronized clocks, which is essential for logging, security protocols, and distributed system coordination.

What does OS Command Injection mean for CVE-2025-60965?

This vulnerability, classified as CWE-78, means the device's software improperly handles input, allowing an attacker to insert and run their own system-level commands. Because the system treats this malicious input as legitimate instructions, it can lead to full system compromise, enabling unauthorized code execution or service disruption.

How can an attacker trigger this vulnerability?

An attacker must have privileged access to the device to send the specially crafted commands that trigger the injection. Simply reaching the device over the network is not enough; the attacker needs valid administrative credentials to interact with the system in a way that allows them to pass these malicious commands to the underlying operating system.

Is my network time server at risk?

Halo Surface Signal indicates that because the Sonoma D12 is often deployed at the network edge or within datacenter infrastructure, it is frequently reachable from external sources. If your device is accessible from the internet or exposed to broader network segments, it is more likely to be reachable by unauthorized parties compared to devices isolated on restricted management networks.

What should I do if I use this hardware?

Your first step is to create a complete inventory of all Sonoma D12 units in your environment to understand their current role and network placement. Once located, verify which systems are directly accessible from your network perimeter and coordinate with your infrastructure team to prioritize these assets for remediation, such as applying official vendor firmware updates.

References