A critical OS command injection vulnerability, identified as CVE-2025-60965, has been discovered in multiple EndRun Technologies Sonoma products. This flaw allows a remote attacker to execute arbitrary commands on the affected system, potentially leading to a full system compromise, denial of service, and unauthorized access to the network infrastructure.

The vulnerability is an OS Command Injection flaw. It exists because the application fails to properly sanitize user-supplied input before passing it to the operating system for execution. An unauthenticated remote attacker can craft a malicious request containing shell metacharacters (e.g., ;, |, &&) which are then executed by the underlying OS with the privileges of the application, leading to arbitrary code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation could have a severe impact on business operations. An attacker could take complete control of the Network Time Server, which is a critical infrastructure component. Potential consequences include disrupting time synchronization across the network (affecting authentication, logging, and financial transactions), installing malware, exfiltrating sensitive data, or using the compromised device as a pivot point to attack other internal systems.

Immediate Action: Apply the security update provided by EndRun Technologies to all affected Sonoma products immediately. After patching, monitor system logs and network traffic for any signs of compromise or further exploitation attempts.

Proactive Monitoring: Implement enhanced monitoring on affected devices. Security teams should look for unusual child processes spawned by the Sonoma application, unexpected outbound network connections from the time server, and review web access logs for requests containing shell command syntax and metacharacters.

Compensating Controls: If immediate patching is not feasible, restrict network access to the device's management interface to a limited set of trusted IP addresses. Additionally, deploy a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rulesets designed to detect and block OS command injection attack patterns.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) of this vulnerability, which allows for complete system compromise, immediate action is required. Organizations must prioritize applying the vendor-supplied updates to all affected EndRun Technologies Sonoma devices. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact and the potential for remote code execution make it an attractive target for threat actors, and prompt remediation is essential to prevent potential exploitation.