CVE-2025-60958 is a Cross Site Scripting (XSS) vulnerability identified in the EndRun Technologies Sonoma D12 Network Time Server, specifically in firmware version 4.00 (F/W 6010-0071-000). XSS vulnerabilities occur when an application does not properly sanitize user-supplied input, allowing attackers to inject malicious scripts into web pages viewed by other users. In this case, the network time server’s web interface is vulnerable, which could allow an attacker to execute arbitrary JavaScript in the context of the victim’s browser. This can lead to theft of sensitive information such as authentication tokens, session cookies, or other confidential data accessible via the web interface. The vulnerability was published on October 6, 2025, with no CVSS score assigned yet and no known exploits detected in the wild. The affected product is a specialized network time server used to provide accurate time synchronization, often critical in network operations, telecommunications, and industrial control systems. The lack of patch links suggests that a fix has not yet been publicly released. Given the nature of XSS, exploitation typically requires the victim to interact with a maliciously crafted URL or content, implying some level of user interaction is necessary. The vulnerability primarily impacts confidentiality and integrity, with limited direct impact on availability. Since the device is a network appliance, exploitation could also facilitate further attacks within the network if attackers gain sensitive information or session control.

For European organizations, the impact of CVE-2025-60958 depends on the deployment scale of EndRun Sonoma D12 devices. These network time servers are often used in critical infrastructure sectors such as telecommunications, energy, finance, and government networks where precise time synchronization is essential. Exploitation could allow attackers to steal sensitive credentials or session information, potentially enabling unauthorized access to the device or the network it supports. This could lead to further lateral movement or manipulation of time-dependent processes, affecting logging accuracy, transaction timestamps, or security event correlation. While the vulnerability itself does not directly disrupt availability, the compromise of time servers can degrade trust in network operations and complicate incident response. European entities with stringent regulatory requirements for data integrity and security, such as those under GDPR or NIS Directive, may face compliance risks if such vulnerabilities are exploited. The absence of known exploits reduces immediate risk, but the specialized nature of the device means targeted attacks against critical infrastructure are plausible.

1. Monitor EndRun Sonoma D12 devices for unusual web interface activity and restrict access to trusted administrators only, ideally via VPN or secure management networks. 2. Implement strict input validation and output encoding on the device’s web interface to prevent script injection; coordinate with EndRun Technologies for firmware updates addressing this vulnerability. 3. Apply network segmentation to isolate time servers from general user networks to reduce exposure. 4. Use web application firewalls (WAFs) or intrusion prevention systems (IPS) capable of detecting and blocking XSS payloads targeting these devices. 5. Educate administrators to avoid clicking on suspicious links or interacting with untrusted content related to device management interfaces. 6. Regularly audit and update device firmware and software as patches become available. 7. Employ multi-factor authentication (MFA) for device access to mitigate risks from stolen credentials. 8. Maintain comprehensive logging and monitoring to detect potential exploitation attempts early.