Skip to main content

Timeprovider 4100 Firmware CVE-2025-47901

HIGH
OS Command Injection (CWE-78)
2025-10-20 dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 31, 2026 - 11:37 vuln.today
CVE Published
Oct 20, 2025 - 18:15 nvd
HIGH 8.9

DescriptionCVE.org

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Microchip Time Provider 4100 allows OS Command Injection.This issue affects Time Provider 4100: before 2.5.

AnalysisAI

OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated attackers on adjacent networks to execute arbitrary system commands with high privileges, leading to complete device compromise. The vulnerability requires low attack complexity and low privileges, with exploitation probability at 0.28% (EPSS), indicating moderate real-world risk. No public exploit identified at time of analysis, but the adjacent network requirement and low complexity make this readily exploitable in targeted attacks against time synchronization infrastructure.

Technical ContextAI

The Microchip TimeProvider 4100 is a precision timing device that provides GPS-disciplined time synchronization for critical infrastructure and enterprise networks. This vulnerability (CWE-78: OS Command Injection) stems from improper neutralization of special characters in user-supplied input before passing it to system shell commands. The firmware running on the cpe:2.3:o:microchip:timeprovider_4100_firmware platform fails to sanitize input that gets interpolated into operating system commands, allowing authenticated users to break out of intended command contexts and execute arbitrary shell commands. The CVSS 4.0 vector indicates adjacent network access (AV:A) is required, meaning the attacker must be on the same network segment as the device, which is typical for industrial control system and timing infrastructure deployments. The Present Attack Complexity (AT:P) suggests some non-trivial conditions must be met, potentially related to specific operational states or timing windows.

RemediationAI

Upgrade all Microchip TimeProvider 4100 devices to firmware version 2.5 or later, which contains fixes for the command injection vulnerability. Consult the vendor advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution-47901 for detailed upgrade procedures and any model-specific considerations. As compensating controls during the upgrade window, implement strict network segmentation to isolate timing infrastructure on dedicated VLANs with access control lists restricting adjacent network access to authorized management systems only. Review and disable any default accounts, enforce strong authentication for all device access, and monitor device logs for unexpected command execution patterns or authentication anomalies. Given the adjacent network attack vector, ensure management interfaces are not exposed to untrusted network segments and implement jump host or bastion server architectures for administrative access.

CVE-2024-9054 HIGH POC
8.5 Oct 04

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Inform

CVE-2024-43687 HIGH POC
7.7 Oct 04

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T

CVE-2024-7801 MEDIUM POC
6.3 Oct 04

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip TimeProv

CVE-2025-47900 HIGH
8.9 Oct 20

OS command injection in Microchip TimeProvider 4100 Grandmaster allows authenticated adjacent network attackers to execu

CVE-2024-43685 HIGH
8.7 Oct 04

Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.0 before 2

CVE-2024-43684 HIGH
8.7 Oct 04

Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-

CVE-2024-43683 HIGH
8.7 Oct 04

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP

CVE-2025-47902 HIGH
7.1 Oct 20

SQL injection in Microchip TimeProvider 4100 Grandmaster (firmware <2.5) allows adjacent network attackers with low-leve

CVE-2025-47904 MEDIUM
5.7 Feb 24

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software

CVE-2024-43686 MEDIUM
5.4 Oct 04

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T

Share

CVE-2025-47901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy