Refine your search
5 vulnerabilities found for Time Provider 4100 by Microchip
CVE-2025-9497 (GCVE-0-2025-9497)
Vulnerability from cvelistv5
Published
2026-03-28 10:58
Modified
2026-04-01 13:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Summary
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microchip | Time Provider 4100 |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:54:38.708217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:55:03.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Time Provider 4100",
"vendor": "Microchip",
"versions": [
{
"lessThan": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User knowledge of the decryption passwords and upgrade package structure.\u003cbr\u003e"
}
],
"value": "User knowledge of the decryption passwords and upgrade package structure."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dario Emilio Bertani"
},
{
"lang": "en",
"type": "finder",
"value": "Raffaele Bova"
},
{
"lang": "en",
"type": "finder",
"value": "Andrea Sindoni"
},
{
"lang": "en",
"type": "finder",
"value": "Simone Bossi"
},
{
"lang": "en",
"type": "finder",
"value": "Antonio Carriero"
},
{
"lang": "en",
"type": "finder",
"value": "Marco Manieri"
},
{
"lang": "en",
"type": "finder",
"value": "Vito Pistillo"
},
{
"lang": "en",
"type": "finder",
"value": "Davide Renna"
},
{
"lang": "en",
"type": "finder",
"value": "Manuel Leone"
},
{
"lang": "en",
"type": "finder",
"value": "Massimiliano Brolli"
},
{
"lang": "en",
"type": "reporter",
"value": "TIM Security Red Team Research (TIM S.p.A)"
}
],
"datePublic": "2026-03-28T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.\u003cp\u003eThis issue affects Time Provider 4100: before 2.5.0.\u003c/p\u003e"
}
],
"value": "Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-533",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-533 Malicious Manual Software Update"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:52:21.770Z",
"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"shortName": "Microchip"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-hardcoded-upgrade-decryption-passwords"
},
{
"tags": [
"technical-description"
],
"url": "https://www.gruppotim.it/en/footer/TIM-red-team.html"
}
],
"source": {
"advisory": "PSIRT-104",
"discovery": "EXTERNAL"
},
"title": "Hardcoded Upgrade Decryption Passwords",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\n\u003c/div\u003e\n\n \n\u003c/div\u003e\n \n \u003cdiv\u003e\n \u003cdiv\u003e\n \u003cdiv\u003e\n \u003cdiv\u003e\u003cdiv\u003e\n\n \u003cp\u003eUpgrades are only available on a separate management port which \nshould not be connected to an untrusted network. ACLs are available to \nfurther restrict access to only trusted addresses.\u003c/p\u003e\n\n\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Upgrades are only available on a separate management port which \nshould not be connected to an untrusted network. ACLs are available to \nfurther restrict access to only trusted addresses."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"assignerShortName": "Microchip",
"cveId": "CVE-2025-9497",
"datePublished": "2026-03-28T10:58:29.620Z",
"dateReserved": "2025-08-26T17:59:09.578Z",
"dateUpdated": "2026-04-01T13:55:03.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47904 (GCVE-0-2025-47904)
Vulnerability from cvelistv5
Published
2026-02-24 15:34
Modified
2026-03-31 10:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-494 - Download of Code Without Integrity Check
Summary
Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microchip | Time Provider 4100 |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T19:52:08.415815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:53:24.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Time Provider 4100",
"vendor": "Microchip",
"versions": [
{
"lessThan": "2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User knowledge of the decryption passwords and upgrade package structure.\u003cbr\u003e"
}
],
"value": "User knowledge of the decryption passwords and upgrade package structure."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dario Emilio Bertani"
},
{
"lang": "en",
"type": "finder",
"value": "Raffaele Bova"
},
{
"lang": "en",
"type": "finder",
"value": "Andrea Sindoni"
},
{
"lang": "en",
"type": "finder",
"value": "Simone Bossi"
},
{
"lang": "en",
"type": "finder",
"value": "Antonio Carriero"
},
{
"lang": "en",
"type": "finder",
"value": "Marco Manieri"
},
{
"lang": "en",
"type": "finder",
"value": "Vito Pistillo"
},
{
"lang": "en",
"type": "finder",
"value": "Davide Renna"
},
{
"lang": "en",
"type": "finder",
"value": "Manuel Leone"
},
{
"lang": "en",
"type": "finder",
"value": "Massimiliano Brolli"
},
{
"lang": "en",
"type": "reporter",
"value": "TIM Security Red Team Research (TIM S.p.A)"
}
],
"datePublic": "2026-02-18T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.\u003cp\u003eThis issue affects Time Provider 4100: before 2.5.\u003c/p\u003e"
}
],
"value": "Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5."
}
],
"impacts": [
{
"capecId": "CAPEC-533",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-533 Malicious Manual Software Update"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494 Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T10:39:23.425Z",
"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"shortName": "Microchip"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-unsigned-upgrade-vulnerability"
},
{
"tags": [
"technical-description"
],
"url": "https://www.gruppotim.it/en/footer/TIM-red-team.html"
}
],
"source": {
"advisory": "PSIRT-105",
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-04-14T22:00:00.000Z",
"value": "Reported"
}
],
"title": "Unsigned upgrade package",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrades are only available on a separate management port which should \nnot be connected to an untrusted network. ACLs are available to further\n restrict access to only trusted addresses.\n\n\u003cbr\u003e"
}
],
"value": "Upgrades are only available on a separate management port which should \nnot be connected to an untrusted network. ACLs are available to further\n restrict access to only trusted addresses."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"assignerShortName": "Microchip",
"cveId": "CVE-2025-47904",
"datePublished": "2026-02-24T15:34:20.905Z",
"dateReserved": "2025-05-13T19:24:53.452Z",
"dateUpdated": "2026-03-31T10:39:23.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47902 (GCVE-0-2025-47902)
Vulnerability from cvelistv5
Published
2025-10-20 17:52
Modified
2026-03-31 10:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip Time Provider 4100 allows SQL Injection.This issue affects Time Provider 4100: before 2.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microchip | Time Provider 4100 |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T15:37:47.373652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T15:38:03.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Time Provider 4100",
"vendor": "Microchip",
"versions": [
{
"lessThan": "2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A user authenticated on the web interface on the separate management port."
}
],
"value": "A user authenticated on the web interface on the separate management port."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dario Emilio Bertani"
},
{
"lang": "en",
"type": "finder",
"value": "Raffaele Bova"
},
{
"lang": "en",
"type": "finder",
"value": "Andrea Sindoni"
},
{
"lang": "en",
"type": "finder",
"value": "Simone Bossi"
},
{
"lang": "en",
"type": "finder",
"value": "Antonio Carriero"
},
{
"lang": "en",
"type": "finder",
"value": "Marco Manieri"
},
{
"lang": "en",
"type": "finder",
"value": "Vito Pistillo"
},
{
"lang": "en",
"type": "finder",
"value": "Davide Renna"
},
{
"lang": "en",
"type": "finder",
"value": "Manuel Leone"
},
{
"lang": "en",
"type": "finder",
"value": "Massimiliano Brolli"
},
{
"lang": "en",
"type": "reporter",
"value": "TIM Security Red Team Research (TIM S.p.A)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Microchip Time Provider 4100 allows SQL Injection.\u003cp\u003eThis issue affects Time Provider 4100: before 2.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Microchip Time Provider 4100 allows SQL Injection.This issue affects Time Provider 4100: before 2.5."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T10:38:57.976Z",
"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"shortName": "Microchip"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-sql-command-injection-47902"
},
{
"tags": [
"technical-description"
],
"url": "https://www.gruppotim.it/en/footer/TIM-red-team.html"
}
],
"source": {
"advisory": "PSIRT-103",
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-04-15T07:00:00.000Z",
"value": "Reported"
}
],
"title": "SQL Injection in web resource",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Do not expose the web interface on the separate management port to an \nuntrusted network. For added security, users have the option to disable \nthe web interface, further protecting the device from potential \nweb-based exploitations."
}
],
"value": "Do not expose the web interface on the separate management port to an \nuntrusted network. For added security, users have the option to disable \nthe web interface, further protecting the device from potential \nweb-based exploitations."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"assignerShortName": "Microchip",
"cveId": "CVE-2025-47902",
"datePublished": "2025-10-20T17:52:52.844Z",
"dateReserved": "2025-05-13T19:24:53.452Z",
"dateUpdated": "2026-03-31T10:38:57.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47901 (GCVE-0-2025-47901)
Vulnerability from cvelistv5
Published
2025-10-20 17:48
Modified
2026-03-31 10:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microchip | Time Provider 4100 |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T15:38:53.264980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T15:38:55.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Time Provider 4100",
"vendor": "Microchip",
"versions": [
{
"lessThan": "2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated user with access to the web interface on a separate management port"
}
],
"value": "An authenticated user with access to the web interface on a separate management port"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dario Emilio Bertani"
},
{
"lang": "en",
"type": "finder",
"value": "Raffaele Bova"
},
{
"lang": "en",
"type": "finder",
"value": "Andrea Sindoni"
},
{
"lang": "en",
"type": "finder",
"value": "Simone Bossi"
},
{
"lang": "en",
"type": "finder",
"value": "Antonio Carriero"
},
{
"lang": "en",
"type": "finder",
"value": "Marco Manieri"
},
{
"lang": "en",
"type": "finder",
"value": "Vito Pistillo"
},
{
"lang": "en",
"type": "finder",
"value": "Davide Renna"
},
{
"lang": "en",
"type": "finder",
"value": "Manuel Leone"
},
{
"lang": "en",
"type": "finder",
"value": "Massimiliano Brolli"
},
{
"lang": "en",
"type": "reporter",
"value": "TIM Security Red Team Research (TIM S.p.A)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Microchip Time Provider 4100 allows OS Command Injection.\u003cp\u003eThis issue affects Time Provider 4100: before 2.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T10:38:33.680Z",
"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"shortName": "Microchip"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution-47901"
},
{
"tags": [
"technical-description"
],
"url": "https://www.gruppotim.it/en/footer/TIM-red-team.html"
}
],
"source": {
"advisory": "PSIRT-102",
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-04-15T07:00:00.000Z",
"value": "Reported"
}
],
"title": "RCE on restore configuration password",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Do not expose the web interface on the separate management port to an \nuntrusted network. For added security, users have the option to disable \nthe web interface, further protecting the device from potential \nweb-based exploitations."
}
],
"value": "Do not expose the web interface on the separate management port to an \nuntrusted network. For added security, users have the option to disable \nthe web interface, further protecting the device from potential \nweb-based exploitations."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"assignerShortName": "Microchip",
"cveId": "CVE-2025-47901",
"datePublished": "2025-10-20T17:48:20.775Z",
"dateReserved": "2025-05-13T19:24:53.452Z",
"dateUpdated": "2026-03-31T10:38:33.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47900 (GCVE-0-2025-47900)
Vulnerability from cvelistv5
Published
2025-10-20 17:43
Modified
2026-03-31 10:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microchip | Time Provider 4100 |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T18:01:10.599374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T18:02:36.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Time Provider 4100",
"vendor": "Microchip",
"versions": [
{
"lessThan": "2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated user with access to the web interface on a separate management port."
}
],
"value": "An authenticated user with access to the web interface on a separate management port."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dario Emilio Bertani"
},
{
"lang": "en",
"type": "finder",
"value": "Raffaele Bova"
},
{
"lang": "en",
"type": "finder",
"value": "Andrea Sindoni"
},
{
"lang": "en",
"type": "finder",
"value": "Simone Bossi"
},
{
"lang": "en",
"type": "finder",
"value": "Antonio Carriero"
},
{
"lang": "en",
"type": "finder",
"value": "Marco Manieri"
},
{
"lang": "en",
"type": "finder",
"value": "Vito Pistillo"
},
{
"lang": "en",
"type": "finder",
"value": "Davide Renna"
},
{
"lang": "en",
"type": "finder",
"value": "Manuel Leone"
},
{
"lang": "en",
"type": "finder",
"value": "Massimiliano Brolli"
},
{
"lang": "en",
"type": "reporter",
"value": "TIM Security Red Team Research (TIM S.p.A)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Microchip Time Provider 4100 allows OS Command Injection.\u003cp\u003eThis issue affects Time Provider 4100: before 2.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T10:38:11.018Z",
"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"shortName": "Microchip"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution"
},
{
"tags": [
"technical-description"
],
"url": "https://www.gruppotim.it/en/footer/TIM-red-team.html"
}
],
"source": {
"advisory": "PSIRT-101",
"discovery": "UNKNOWN"
},
"title": "RCE on backup configuration password",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Do not expose the web interface on the separate management port to an \nuntrusted network. For added security, users have the option to disable \nthe web interface, further protecting the device from potential \nweb-based exploitations."
}
],
"value": "Do not expose the web interface on the separate management port to an \nuntrusted network. For added security, users have the option to disable \nthe web interface, further protecting the device from potential \nweb-based exploitations."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"assignerShortName": "Microchip",
"cveId": "CVE-2025-47900",
"datePublished": "2025-10-20T17:43:33.890Z",
"dateReserved": "2025-05-13T19:24:53.452Z",
"dateUpdated": "2026-03-31T10:38:11.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}