CVE-2025-60962

HighRCE

Published: 06 October 2025

Published

06 October 2025

Modified

10 October 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0042 62.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60962 is a high-severity OS Command Injection (CWE-78) vulnerability in Endruntechnologies Sonoma D12 Firmware. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by validating inputs at network interfaces to reject malicious command payloads in the vulnerable firmware.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific command injection flaw in Sonoma D12 firmware version 4.00 to eliminate the vulnerability.

AC-6 Least Privilege partial match

prevent

Limits damage from successful command injection by enforcing least privilege on affected processes, reducing integrity and confidentiality impacts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated OS command injection in a public-facing network time server directly enables T1190 (Exploit Public-Facing Application) as the initial access vector and facilitates T1059 (Command and Scripting Interpreter) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to gain sensitive information, and possibly other unspecified impacts.

Deeper analysisAI

CVE-2025-60962 is an OS Command Injection vulnerability (CWE-78) in the EndRun Technologies Sonoma D12 Network Time Server (GPS) firmware version 6010-0071-000 Ver 4.00. Published on 2025-10-06T17:16:07.080, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote attackers can exploit this vulnerability without authentication by injecting operating system commands, potentially gaining sensitive information and achieving other unspecified impacts. The high integrity impact score reflects the potential for significant unauthorized modifications, while confidentiality impact is low and availability remains unaffected.

Advisories referenced in the CVE details, including https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12 from xdiv-sec, along with vendor sites at http://endrun.com and http://sonoma.com, provide further information on the issue.