Cyber Resilience

CVE-2025-60963

HighRCE

Published: 06 October 2025

Published
06 October 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0054 68.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60963 is a high-severity OS Command Injection (CWE-78) vulnerability in Endruntechnologies Sonoma D12 Firmware. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-60963 is an OS Command Injection vulnerability (CWE-78) in the EndRun Technologies Sonoma D12 Network Time Server (GPS) firmware version 6010-0071-000 Ver 4.00. Published on 2025-10-06T17:16:07.193, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). The vulnerability enables attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and access sensitive information.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low complexity and no user interaction required. Exploitation grants high integrity impact through arbitrary code execution and privilege escalation, alongside low confidentiality impact from sensitive information disclosure and potential denial of service effects.

Advisories and additional details are available at http://endrun.com, http://sonoma.com, and https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12.

EU & UK References

Vulnerability details

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OS command injection in public-facing network time server enables unauthenticated remote exploitation for arbitrary code execution (T1190) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-60957Same product: Endruntechnologies Sonoma D12
CVE-2025-60962Same product: Endruntechnologies Sonoma D12
CVE-2025-60959Same product: Endruntechnologies Sonoma D12
CVE-2025-60964Same product: Endruntechnologies Sonoma D12
CVE-2025-60960Same product: Endruntechnologies Sonoma D12
CVE-2025-60965Same product: Endruntechnologies Sonoma D12
CVE-2025-34335Shared CWE-78
CVE-2026-1427Shared CWE-78
CVE-2025-56102Shared CWE-78
CVE-2025-20029Shared CWE-78

Affected Assets

endruntechnologies
sonoma d12 firmware
6010-0071-000

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by validating network inputs against expected formats and rejecting malformed or malicious command strings.

prevent

Addresses the specific firmware vulnerability through identification, reporting, and timely remediation via patching to eliminate the command injection flaw.

prevent

Limits damage from successful injection and privilege escalation by restricting processes and accounts to least privilege necessary for operations.

References