Timeprovider 4100 Firmware
CVE-2025-47900
HIGH
Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5.
AnalysisAI
OS command injection in Microchip TimeProvider 4100 Grandmaster allows authenticated adjacent network attackers to execute arbitrary system commands with elevated privileges on firmware versions prior to 2.5. The vulnerability requires low attack complexity and low privileges, enabling complete compromise of device confidentiality, integrity, and availability. EPSS exploitation probability is low (0.28%, 51st percentile) with no public exploit identified at time of analysis, though the straightforward attack vector presents significant risk to network time infrastructure in enterprise environments.
Technical ContextAI
This vulnerability affects the Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5), a precision network time protocol (NTP/PTP) appliance used in critical infrastructure and telecommunications for high-accuracy time synchronization. The flaw stems from CWE-78 (OS Command Injection), where the device fails to properly sanitize user-supplied input before passing it to system shell commands. Given the adjacent network attack vector (AV:A) in the CVSS 4.0 vector, the vulnerable interface is likely accessible via the device's management network rather than requiring direct physical access or internet exposure. Command injection vulnerabilities typically occur in web management interfaces, CLI handlers, or API endpoints that construct shell commands using concatenation or unsafe system() calls rather than parameterized execution. The CVSS vector indicates low attack complexity (AC:L) and requires only low privileges (PR:L), suggesting the vulnerability may be exploitable by any authenticated management user rather than requiring administrator-level access. The AT:P (Attack Requirements: Present) metric suggests specific preconditions must be met, possibly requiring the attacker to be on the same network segment or VLAN as the management interface.
RemediationAI
Organizations should immediately upgrade all TimeProvider 4100 Grandmaster devices to firmware version 2.5 or later, which addresses the command injection vulnerability according to Microchip's advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution. Prior to patching, implement network segmentation to restrict management interface access to dedicated administrative VLANs, enforce strong authentication with multi-factor authentication where supported, monitor device logs for unusual command execution patterns, and audit user accounts to ensure principle of least privilege. If immediate patching is not feasible, consider deploying jump hosts or bastion servers to mediate access to TimeProvider management interfaces, implement IP allowlisting to restrict management access to specific administrator workstations, and enhance monitoring for lateral movement attempts originating from compromised timing infrastructure. Given the device's role in precision time distribution, coordinate patching windows with stakeholders dependent on time services to minimize operational disruption.
More in Timeprovider 4100 Firmware
View allImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Inform
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip TimeProv
OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated atta
Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.0 before 2
Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP
SQL injection in Microchip TimeProvider 4100 Grandmaster (firmware <2.5) allows adjacent network attackers with low-leve
Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today