Security Advisory – EndRun Technologies Sonoma D12 Vulnerabilities
Advisory Date: 3 October 2025
Last Updated: 6 October 2025
Discovered By: SDAIA - Cyber Security (PT Team)
Vendor: EndRun Technologies
Affected Product: Sonoma D12 Network Time Server (GPS)
Affected Firmware Versions: 6010-0071-000 v4.00
Summary
The Penetration Testing Team at SDAIA – Cyber Security identified multiple vulnerabilities in the EndRun Technologies Sonoma D12 Network Time Server (GPS), affecting firmware version 6010-0071-000 v4.00. Successful exploitation could allow unauthenticated remote attackers to execute arbitrary code, escalate privileges, disclose sensitive information, or cause a denial-of-service (DoS) condition.
Vulnerability Details
The following CVE IDs have been assigned by MITRE and are currently in RESERVED state:
| CVE ID | Type | Severity | CVSS | Impact |
|---|---|---|---|---|
| CVE-2025-60957 | OS Command Injection (RCE, Low Privilege) | Critical (9.9) | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | Remote code execution, privilege escalation, and full system compromise. |
| CVE-2025-60959 | OS Command Injection (RCE, High Privilege) | Critical (9.1) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | Remote code execution, privilege escalation, and full system compromise requiring elevated privileges. |
| CVE-2025-60960 | OS Command Injection (RCE, High Privilege) | Critical (9.1) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | Remote code execution, privilege escalation, and full system compromise requiring elevated privileges. |
| CVE-2025-60962 | OS Command Injection (RCE, High Privilege) | Critical (9.1) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | Remote code execution, privilege escalation, and full system compromise requiring elevated privileges. |
| CVE-2025-60963 | OS Command Injection (RCE, High Privilege) | Critical (9.1) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | Remote code execution, privilege escalation, and full system compromise requiring elevated privileges. |
| CVE-2025-60964 | OS Command Injection (RCE, High Privilege) | Critical (9.1) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | Remote code execution, privilege escalation, and full system compromise requiring elevated privileges. |
| CVE-2025-60965 | OS Command Injection (RCE, High Privilege) | Critical (9.1) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | Remote code execution, privilege escalation, and full system compromise requiring elevated privileges. |
| CVE-2025-60956 | Cross-Site Request Forgery (CSRF) | High (8.0) | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | Unauthorized actions through crafted web requests. |
| CVE-2025-60958 | Cross-Site Scripting (XSS) | High (7.3) | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N | Disclosure of sensitive information and session hijacking. |
| CVE-2025-60961 | Cross-Site Scripting (XSS) | High (7.3) | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N | Disclosure of sensitive information and session hijacking. |
| CVE-2025-60967 | Cross-Site Scripting (XSS) | High (7.3) | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N | Disclosure of sensitive information and session hijacking. |
| CVE-2025-60969 | Directory Traversal | Medium (5.7) | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N | Arbitrary file access and information disclosure. |
Recommendations
The following recommendations are based on the penetration testing findings for Sonoma D12 (GPS):
1. OS Command Injection (RCE)
- Replace unsafe functions (e.g.,
system(),popen()) with safer alternatives (fork/execve) where appropriate. - Implement strict input validation (whitelisting, length checks, reject/filter special characters).
- Ensure all processes run with the principle of least privilege.
- Enforce privilege separation between components and services.
2. Cross-Site Request Forgery (CSRF)
- Add CSRF protections (tokens) to all state-changing requests.
- Validate CSRF protections on the server side.
3. Directory Traversal
- Sanitize and canonicalize all user inputs before file access.
- Disable directory listing at the web server configuration level.
4. Reflected Cross-Site Scripting (XSS)
- Apply proper output encoding for all reflected values.
- Enforce a strong Content Security Policy (CSP).
- Validate inputs with strict allow-lists.
5. Temporary Mitigations (Until vendor patch is available)
Until an official patch is released, the vendor has provided confirmed mitigation steps to reduce exposure by disabling the web-management access. Implement mitigations only after validation in a controlled/test environment and in coordination with the vendor and your operations/change-control teams.
Vendor-Provided Mitigation Steps:
chmod -x /etc/rc.d/rc.httpd
cp -p /etc/rc.d/rc.httpd /boot/etc/rc.d
reboot
⚠️ The vendor has verified these steps as effective interim mitigation, Operational impact should be carefully evaluated before applying them in production environments.
Disclosure Timeline
- 31 August 2025 – Vulnerabilities discovered and validated by SDAIA - Cyber Security (PT Team).
- 31 August 2025 – Vulnerabilities reported to vendor (EndRun Technologies).
- 1 October 2025 – MITRE reviewed the submission and allocated CVE IDs (RESERVED).
- 2 October 2025 – Draft security advisory shared with vendor for review.
- 3 October 2025 – Vendor reviewed the advisory.
- 3 October 2025 – Security advisory published.
Acknowledgments
These vulnerabilities were discovered and reported by the SDAIA - Cyber Security (PT Team):
- Abdulaziz Aldayri
- Abdullah Alfahmi
- Abdullah Alshibl
- Fahad Aljuaid
- Khalid Alzahrani
- Omar Alhawl
Disclaimer
This advisory is published under responsible disclosure with limited details to avoid exploitation. It is provided for informational purposes only, without any warranties, and the authors are not responsible for any actions taken based on this advisory.