CVE-2025-60964

CriticalRCE

Published: 06 October 2025

Published

06 October 2025

Modified

10 October 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0014 33.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60964 is a critical-severity OS Command Injection (CWE-78) vulnerability in Endruntechnologies Sonoma D12 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and timely remediation of the OS command injection flaw in the Sonoma D12 firmware to prevent exploitation.

SI-10 Information Input Validation good match

prevent

Requires validation of all information inputs to block malicious OS command injection through vulnerable interfaces.

AC-6 Least Privilege partial match

prevent

Limits privileges of high-privilege accounts required for exploitation, reducing impact of arbitrary code execution and privilege escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

OS command injection enables remote exploitation of the service (T1210), Unix shell command execution (T1059.004), privilege escalation (T1068), and DoS via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts.

Deeper analysisAI

CVE-2025-60964 is an OS Command Injection vulnerability (CWE-78) in EndRun Technologies Sonoma D12 Network Time Server (GPS) firmware version 6010-0071-000 Ver 4.00. Published on 2025-10-06T17:16:07.307, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). The vulnerability enables attackers to execute arbitrary code, cause denial of service, gain escalated privileges, obtain sensitive information, and achieve possibly other unspecified impacts.

Attackers require high privileges (PR:H) to exploit this flaw remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Upon successful exploitation, the impact crosses security scope (S:C), resulting in high confidentiality, integrity, and availability effects (C:H/I:H/A:H). Privileged adversaries can thus execute arbitrary operating system commands, disrupt time server operations, further escalate privileges, exfiltrate sensitive data, and pursue additional unspecified consequences.

Advisories detailing mitigations and patches are available from EndRun Technologies at http://endrun.com and http://sonoma.com, along with a vulnerability research advisory at https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12.