Cyber Resilience

CVE-2025-60957

CriticalRCE

Published: 06 October 2025

Published
06 October 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0021 43.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60957 is a critical-severity OS Command Injection (CWE-78) vulnerability in Endruntechnologies Sonoma D12 Firmware. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-60957 is an OS Command Injection vulnerability (CWE-78) in the EndRun Technologies Sonoma D12 Network Time Server (GPS) firmware version 6010-0071-000 Ver 4.00. Published on 2025-10-06T17:16:06.497, it carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across multiple security principles.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables execution of arbitrary code, denial of service, privilege escalation, and disclosure of sensitive information, with high scope change (S:C) amplifying effects on confidentiality (C:H), integrity (I:H), and availability (A:H).

Advisories providing further details, including potential mitigations or patches, are available from EndRun Technologies at http://endrun.com, Sonoma at http://sonoma.com, and a researcher advisory at https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12.

EU & UK References

Vulnerability details

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OS command injection in a public-facing network time server directly enables exploitation of public-facing application (T1190), command execution via Unix shell (T1059.004), and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-60959Same product: Endruntechnologies Sonoma D12
CVE-2025-60963Same product: Endruntechnologies Sonoma D12
CVE-2025-60964Same product: Endruntechnologies Sonoma D12
CVE-2025-60960Same product: Endruntechnologies Sonoma D12
CVE-2025-60962Same product: Endruntechnologies Sonoma D12
CVE-2025-60965Same product: Endruntechnologies Sonoma D12
CVE-2025-56102Shared CWE-78
CVE-2025-20029Shared CWE-78
CVE-2026-28774Shared CWE-78
CVE-2026-30809Shared CWE-78

Affected Assets

endruntechnologies
sonoma d12 firmware
6010-0071-000

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by implementing input validation mechanisms at entry points to block malicious command strings.

prevent

Requires timely identification, reporting, and remediation of flaws like this command injection vulnerability through firmware patching.

prevent

Mitigates arbitrary code execution resulting from command injection via memory protections such as non-executable memory regions.

References