CVE-2025-60965

CriticalRCE

Published: 06 October 2025

Published

06 October 2025

Modified

10 October 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0014 33.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60965 is a critical-severity OS Command Injection (CWE-78) vulnerability in Endruntechnologies Sonoma D12 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely patching of the Sonoma D12 firmware flaw, directly eliminating the OS command injection vulnerability as advised by the vendor.

SI-10 Information Input Validation good match

prevent

SI-10 enforces input validation at vulnerable interfaces, preventing attackers from injecting malicious OS commands even with high privileges.

AC-6 Least Privilege partial match

prevent

AC-6 least privilege restricts high-privilege access and limits damage from privilege escalation resulting from command injection exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

OS Command Injection (CWE-78) directly enables T1059.004 (Unix Shell) for arbitrary command execution on likely Unix-based firmware; remote network exploitation (AV:N/PR:H) maps to T1210 (Exploitation of Remote Services) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OS Command Injection vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, gain sensitive information, and possibly other unspecified impacts.

Deeper analysisAI

CVE-2025-60965 is an OS Command Injection vulnerability (CWE-78) in EndRun Technologies Sonoma D12 Network Time Server (GPS) firmware version 6010-0071-000 Ver 4.00. Published on 2025-10-06T17:16:07.417, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact network-based exploitation.

Attackers with high privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation enables arbitrary code execution, denial of service, escalated privileges, disclosure of sensitive information, and possibly other unspecified impacts, with a changed scope amplifying the consequences across confidentiality, integrity, and availability.

Advisories detailing mitigations and patches are available from the vendor at http://endrun.com and http://sonoma.com, as well as a security research advisory at https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12.