Timeprovider 4100 Firmware
CVE-2025-47901
HIGH
Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5.
AnalysisAI
OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated attackers on adjacent networks to execute arbitrary system commands with high privileges, leading to complete device compromise. The vulnerability requires low attack complexity and low privileges, with exploitation probability at 0.28% (EPSS), indicating moderate real-world risk. No public exploit identified at time of analysis, but the adjacent network requirement and low complexity make this readily exploitable in targeted attacks against time synchronization infrastructure.
Technical ContextAI
The Microchip TimeProvider 4100 is a precision timing device that provides GPS-disciplined time synchronization for critical infrastructure and enterprise networks. This vulnerability (CWE-78: OS Command Injection) stems from improper neutralization of special characters in user-supplied input before passing it to system shell commands. The firmware running on the cpe:2.3:o:microchip:timeprovider_4100_firmware platform fails to sanitize input that gets interpolated into operating system commands, allowing authenticated users to break out of intended command contexts and execute arbitrary shell commands. The CVSS 4.0 vector indicates adjacent network access (AV:A) is required, meaning the attacker must be on the same network segment as the device, which is typical for industrial control system and timing infrastructure deployments. The Present Attack Complexity (AT:P) suggests some non-trivial conditions must be met, potentially related to specific operational states or timing windows.
RemediationAI
Upgrade all Microchip TimeProvider 4100 devices to firmware version 2.5 or later, which contains fixes for the command injection vulnerability. Consult the vendor advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution-47901 for detailed upgrade procedures and any model-specific considerations. As compensating controls during the upgrade window, implement strict network segmentation to isolate timing infrastructure on dedicated VLANs with access control lists restricting adjacent network access to authorized management systems only. Review and disable any default accounts, enforce strong authentication for all device access, and monitor device logs for unexpected command execution patterns or authentication anomalies. Given the adjacent network attack vector, ensure management interfaces are not exposed to untrusted network segments and implement jump host or bastion server architectures for administrative access.
More in Timeprovider 4100 Firmware
View allImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Inform
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip TimeProv
OS command injection in Microchip TimeProvider 4100 Grandmaster allows authenticated adjacent network attackers to execu
Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.0 before 2
Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP
SQL injection in Microchip TimeProvider 4100 Grandmaster (firmware <2.5) allows adjacent network attackers with low-leve
Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today