A critical OS command injection vulnerability has been identified in multiple EndRun Technologies Sonoma products, including the Sonoma D12 Network Time Server. This flaw allows an unauthenticated remote attacker to execute arbitrary commands on the affected device, potentially leading to a complete system compromise, denial of service, and unauthorized access to the network. Due to the critical nature and high severity score, immediate remediation is required to prevent exploitation.

This is an OS Command Injection vulnerability. The flaw exists because the device's software does not properly sanitize user-supplied input before passing it to a system shell command. An attacker can exploit this by crafting a malicious request, likely through the web management interface or an API endpoint, that includes operating system commands. These commands are then executed on the device with the privileges of the running service, leading to arbitrary code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.9, indicating a high likelihood of exploitation with severe consequences. Successful exploitation could lead to a complete compromise of the network time server, which is a critical infrastructure component. An attacker could disrupt time synchronization across the entire network, causing failures in logging, authentication systems (like Kerberos), and financial transaction processing. Furthermore, an attacker could install persistent malware, exfiltrate sensitive network data, or use the compromised device as a pivot point to launch further attacks against the internal network, resulting in significant operational downtime, data breaches, and loss of system integrity.

Immediate Action: Immediately update the firmware of all affected EndRun Technologies Sonoma devices to the latest version provided by the vendor to patch the vulnerability. After patching, closely monitor system and access logs for any signs of compromise or attempted exploitation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring for affected devices. Security teams should look for unusual or suspicious commands in shell execution logs, unexpected outbound network connections from the time server, unauthorized changes to system configuration files, and abnormal spikes in CPU or memory utilization. Review web server access logs for requests containing special characters or shell commands (e.g., ;, |, &&, $(...)).

Compensating Controls: If patching cannot be performed immediately, apply compensating controls to reduce the risk. Restrict network access to the device's management interface to a dedicated, trusted administrative VLAN or IP address range. If the device's web interface must be exposed, place it behind a Web Application Firewall (WAF) with rules designed to block command injection attack patterns.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the potential for complete system compromise, organizations must treat this vulnerability with the highest priority. The immediate application of the vendor-supplied patch is the most effective course of action. Although this CVE is not currently listed on the CISA KEV list, its critical nature makes it a prime candidate for future inclusion. If patching is delayed, the compensating controls outlined above must be implemented immediately to mitigate the significant risk of exploitation.