Skip to main content

Timeprovider 4100 Firmware CVE-2025-47900

HIGH
OS Command Injection (CWE-78)
2025-10-20 dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 31, 2026 - 11:37 vuln.today
CVE Published
Oct 20, 2025 - 18:15 nvd
HIGH 8.9

DescriptionCVE.org

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5.

AnalysisAI

OS command injection in Microchip TimeProvider 4100 Grandmaster allows authenticated adjacent network attackers to execute arbitrary system commands with elevated privileges on firmware versions prior to 2.5. The vulnerability requires low attack complexity and low privileges, enabling complete compromise of device confidentiality, integrity, and availability. EPSS exploitation probability is low (0.28%, 51st percentile) with no public exploit identified at time of analysis, though the straightforward attack vector presents significant risk to network time infrastructure in enterprise environments.

Technical ContextAI

This vulnerability affects the Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5), a precision network time protocol (NTP/PTP) appliance used in critical infrastructure and telecommunications for high-accuracy time synchronization. The flaw stems from CWE-78 (OS Command Injection), where the device fails to properly sanitize user-supplied input before passing it to system shell commands. Given the adjacent network attack vector (AV:A) in the CVSS 4.0 vector, the vulnerable interface is likely accessible via the device's management network rather than requiring direct physical access or internet exposure. Command injection vulnerabilities typically occur in web management interfaces, CLI handlers, or API endpoints that construct shell commands using concatenation or unsafe system() calls rather than parameterized execution. The CVSS vector indicates low attack complexity (AC:L) and requires only low privileges (PR:L), suggesting the vulnerability may be exploitable by any authenticated management user rather than requiring administrator-level access. The AT:P (Attack Requirements: Present) metric suggests specific preconditions must be met, possibly requiring the attacker to be on the same network segment or VLAN as the management interface.

RemediationAI

Organizations should immediately upgrade all TimeProvider 4100 Grandmaster devices to firmware version 2.5 or later, which addresses the command injection vulnerability according to Microchip's advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution. Prior to patching, implement network segmentation to restrict management interface access to dedicated administrative VLANs, enforce strong authentication with multi-factor authentication where supported, monitor device logs for unusual command execution patterns, and audit user accounts to ensure principle of least privilege. If immediate patching is not feasible, consider deploying jump hosts or bastion servers to mediate access to TimeProvider management interfaces, implement IP allowlisting to restrict management access to specific administrator workstations, and enhance monitoring for lateral movement attempts originating from compromised timing infrastructure. Given the device's role in precision time distribution, coordinate patching windows with stakeholders dependent on time services to minimize operational disruption.

CVE-2024-9054 HIGH POC
8.5 Oct 04

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Inform

CVE-2024-43687 HIGH POC
7.7 Oct 04

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T

CVE-2024-7801 MEDIUM POC
6.3 Oct 04

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip TimeProv

CVE-2025-47901 HIGH
8.9 Oct 20

OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated atta

CVE-2024-43685 HIGH
8.7 Oct 04

Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.0 before 2

CVE-2024-43684 HIGH
8.7 Oct 04

Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-

CVE-2024-43683 HIGH
8.7 Oct 04

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP

CVE-2025-47902 HIGH
7.1 Oct 20

SQL injection in Microchip TimeProvider 4100 Grandmaster (firmware <2.5) allows adjacent network attackers with low-leve

CVE-2025-47904 MEDIUM
5.7 Feb 24

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software

CVE-2024-43686 MEDIUM
5.4 Oct 04

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T

Share

CVE-2025-47900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy