A critical OS Command Injection vulnerability, identified as CVE-2025-60964, has been discovered in multiple EndRun Technologies Sonoma products, including the D12 Network Time Server. This flaw allows an unauthenticated attacker to execute arbitrary commands on the affected device, potentially leading to a full system compromise, denial of critical time services, and unauthorized access to the network. Due to its high severity and the critical role of these devices in network infrastructure, immediate remediation is strongly advised.

This vulnerability is an OS Command Injection flaw that stems from insufficient input validation in the device's software. An attacker can send a specially crafted network request containing malicious shell commands to a vulnerable component of the device's management interface. Because the input is not properly sanitized, the application passes these commands directly to the underlying operating system for execution, granting the attacker the ability to run arbitrary code with the privileges of the application process, which may lead to full system control.

With a CVSS score of 9.1, this vulnerability is rated as critical. Exploitation could have a severe business impact, as network time servers are fundamental to network operations. Successful exploitation allows an attacker to take complete control of the time server, leading to consequences such as: disruption of time synchronization services (Denial of Service), which can impact authentication protocols like Kerberos, transaction logging, and overall network stability; unauthorized access to sensitive configuration data; and using the compromised device as a pivot point to launch further attacks against the internal network.

Immediate Action: Apply the latest firmware updates provided by EndRun Technologies to all affected Sonoma devices to patch the vulnerability. Following the update, actively monitor for any signs of exploitation attempts by reviewing system and access logs for anomalous activity.

Proactive Monitoring:

• Log Analysis: Scrutinize web server, application, and system logs on the Sonoma devices for unusual requests, especially those containing shell metacharacters (e.g., ;, |, &&, $(...)).
• Network Traffic Analysis: Monitor network traffic to and from the affected devices for connections to suspicious IP addresses, unexpected data exfiltration, or other anomalous patterns that could indicate a compromise.
• System Integrity: Monitor for unexpected processes, unauthorized configuration changes, or the creation of suspicious files on the device, which could be indicators of post-exploitation activity.

Compensating Controls:

• If patching cannot be performed immediately, restrict network access to the device's management interface to a trusted administrative network or specific IP addresses.
• Place the device behind a Web Application Firewall (WAF) configured with rules to detect and block OS command injection attack patterns.
• Ensure the device is on a segmented network to limit an attacker's ability to move laterally if the system is compromised.

Public Exploit Available: false

Given the critical severity of this vulnerability and the essential function of network time servers, organizations are urged to treat this as a high-priority threat. The potential for complete system compromise and disruption to core network services presents a significant risk. Although CVE-2025-60964 is not currently on the CISA KEV list, its high impact makes it a likely candidate for future inclusion. We strongly recommend that all affected EndRun Technologies Sonoma devices are patched immediately. If patching is delayed, the compensating controls listed above should be implemented without delay to reduce the attack surface.