Login Sign Up

CVE-2025-60961

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server allows attackers to inject malicious scripts into web interfaces. Attackers could steal sensitive information, manipulate device settings, or perform other unauthorized actions. Organizations using this specific firmware version are affected.

💻 Affected Systems

Products:
  • EndRun Technologies Sonoma D12 Network Time Server (GPS)
Versions: Firmware 6010-0071-000 Version 4.00
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific firmware version mentioned; other versions may be unaffected.

📦 What is this software?

Sonoma D12 Firmware by Endruntechnologies

View all CVEs affecting Sonoma D12 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of device configuration, credential theft, persistent backdoor installation, and lateral movement to connected systems.

🟠

Likely Case

Session hijacking, sensitive information disclosure (credentials, configuration data), and limited device manipulation.

🟢

If Mitigated

Limited impact due to network segmentation, input validation, and proper access controls preventing script execution.

🌐 Internet-Facing: HIGH - Network time servers are often exposed to manage time synchronization across networks.
🏢 Internal Only: MEDIUM - Still significant risk if attackers gain internal access or via phishing.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity, especially when unauthenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://endrun.com

Restart Required: Yes

Instructions:

1. Check vendor website for security advisories. 2. Download updated firmware if available. 3. Backup current configuration. 4. Apply firmware update via web interface or console. 5. Verify functionality post-update.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to device management interface to trusted networks only.

Web Application Firewall

all

Deploy WAF with XSS protection rules to filter malicious inputs.

🧯 If You Can't Patch

  • Isolate device on separate VLAN with strict firewall rules
  • Disable web management interface if not required, use console access only

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > Status > Firmware Version

Check Version:

curl -k https://[device-ip]/status | grep 'Firmware Version'

Verify Fix Applied:

Verify firmware version is no longer 4.00 and test XSS payloads are sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests with script tags
  • Multiple failed login attempts followed by script injection attempts

Network Indicators:

  • HTTP requests containing <script>, javascript:, or other XSS payloads to device IP

SIEM Query:

source="sonoma-d12-logs" AND (http_uri="*<script>*" OR http_uri="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-60961
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (16.2th percentile)
Published: October 6, 2025
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60961, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)