CVE-2025-47901
HIGHCVSS Vector
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5.
Analysis
OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated attackers on adjacent networks to execute arbitrary system commands with high privileges, leading to complete device compromise. The vulnerability requires low attack complexity and low privileges, with exploitation probability at 0.28% (EPSS), indicating moderate real-world risk. No public exploit identified at time of analysis, but the adjacent network requirement and low complexity make this readily exploitable in targeted attacks against time synchronization infrastructure.
Technical Context
The Microchip TimeProvider 4100 is a precision timing device that provides GPS-disciplined time synchronization for critical infrastructure and enterprise networks. This vulnerability (CWE-78: OS Command Injection) stems from improper neutralization of special characters in user-supplied input before passing it to system shell commands. The firmware running on the cpe:2.3:o:microchip:timeprovider_4100_firmware platform fails to sanitize input that gets interpolated into operating system commands, allowing authenticated users to break out of intended command contexts and execute arbitrary shell commands. The CVSS 4.0 vector indicates adjacent network access (AV:A) is required, meaning the attacker must be on the same network segment as the device, which is typical for industrial control system and timing infrastructure deployments. The Present Attack Complexity (AT:P) suggests some non-trivial conditions must be met, potentially related to specific operational states or timing windows.
Affected Products
Microchip TimeProvider 4100 Grandmaster clock systems running firmware versions prior to 2.5 are affected, specifically identified by CPE string cpe:2.3:o:microchip:timeprovider_4100_firmware:*:*:*:*:*:*:*:*. The TimeProvider 4100 is a GNSS-disciplined precision timing appliance used in telecommunications, financial services, and critical infrastructure for network time synchronization and compliance with timing standards. Organizations should verify their firmware versions through the device management interface. The vendor security advisory is available at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution-47901 with detailed product identification guidance.
Remediation
Upgrade all Microchip TimeProvider 4100 devices to firmware version 2.5 or later, which contains fixes for the command injection vulnerability. Consult the vendor advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution-47901 for detailed upgrade procedures and any model-specific considerations. As compensating controls during the upgrade window, implement strict network segmentation to isolate timing infrastructure on dedicated VLANs with access control lists restricting adjacent network access to authorized management systems only. Review and disable any default accounts, enforce strong authentication for all device access, and monitor device logs for unexpected command execution patterns or authentication anomalies. Given the adjacent network attack vector, ensure management interfaces are not exposed to untrusted network segments and implement jump host or bastion server architectures for administrative access.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today