CVE-2025-60963

HighRCE

Published: 06 October 2025

Published

06 October 2025

Modified

10 October 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0042 61.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60963 is a high-severity OS Command Injection (CWE-78) vulnerability in Endruntechnologies Sonoma D12 Firmware. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating network inputs against expected formats and rejecting malformed or malicious command strings.

SI-2 Flaw Remediation good match

prevent

Addresses the specific firmware vulnerability through identification, reporting, and timely remediation via patching to eliminate the command injection flaw.

AC-6 Least Privilege partial match

prevent

Limits damage from successful injection and privilege escalation by restricting processes and accounts to least privilege necessary for operations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

OS command injection in public-facing network time server enables unauthenticated remote exploitation for arbitrary code execution (T1190) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.

Deeper analysisAI

CVE-2025-60963 is an OS Command Injection vulnerability (CWE-78) in the EndRun Technologies Sonoma D12 Network Time Server (GPS) firmware version 6010-0071-000 Ver 4.00. Published on 2025-10-06T17:16:07.193, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). The vulnerability enables attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and access sensitive information.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low complexity and no user interaction required. Exploitation grants high integrity impact through arbitrary code execution and privilege escalation, alongside low confidentiality impact from sensitive information disclosure and potential denial of service effects.

Advisories and additional details are available at http://endrun.com, http://sonoma.com, and https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12.