CVE-2025-60967 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in EndRun Technologies Sonoma D12 Network Time Server allows attackers to inject malicious scripts into web interfaces, potentially stealing sensitive information or performing unauthorized actions. Organizations using the affected firmware version are at risk.

💻 Affected Systems

Products:

EndRun Technologies Sonoma D12 Network Time Server (GPS)

Versions: F/W 6010-0076-000 Ver 4.00

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface of the network time server

📦 What is this software?

Sonoma D12 Firmware by Endruntechnologies

View all CVEs affecting Sonoma D12 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, manipulate device settings, or use the device as a pivot point to attack internal networks.

🟠

Likely Case

Attackers steal session cookies or authentication tokens to gain unauthorized access to the device management interface.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the device itself without lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity once the vulnerable endpoint is identified

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://endrun.com

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates
2. Download latest firmware
3. Upload via web interface
4. Reboot device

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to the device management interface to trusted networks only

Web Application Firewall

all

Deploy WAF with XSS protection rules in front of the device

🧯 If You Can't Patch

Isolate the device on a separate VLAN with strict access controls
Disable web management interface if not required and use alternative management methods

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > About or similar menu

Check Version:

No CLI command available - check via web interface

Verify Fix Applied:

Verify firmware version has been updated beyond Ver 4.00

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to management interface with script tags or encoded payloads

Network Indicators:

HTTP requests containing suspicious script injection patterns to port 80/443

SIEM Query:

http.method=POST AND http.uri_path CONTAINS "/cgi-bin/" AND (http.user_agent CONTAINS "script" OR http.request_body CONTAINS "<script>")

📊 Metadata

CVE ID: CVE-2025-60967

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17.3th percentile)

Published: October 6, 2025

Last Updated: October 10, 2025

🔗 References

http://endrun.com Broken Link
http://sonoma.com Not Applicable
https://xdiv-sec.github.io/vulnerability-research/advisories/2025-10-03-sonoma-d12 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60967, you might also want to check these: