Timeprovider 4100 Firmware
CVE-2025-47902
HIGH
Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip Time Provider 4100 allows SQL Injection.This issue affects Time Provider 4100: before 2.5.
AnalysisAI
SQL injection in Microchip TimeProvider 4100 Grandmaster (firmware <2.5) allows adjacent network attackers with low-level privileges to achieve high integrity and availability impact across system and vulnerable components. EPSS exploitation probability is low (0.03%, 9th percentile) with no public exploit identified at time of analysis. Authentication requirements indicate PR:L (low privileges required) per CVSS vector. Attack complexity is low but requires present attack timing conditions (AT:P).
Technical ContextAI
This vulnerability affects the Microchip TimeProvider 4100 Grandmaster, a precision time synchronization appliance used in critical telecommunications and industrial infrastructure. The flaw stems from CWE-89 (SQL Injection), where user-supplied input is improperly sanitized before being incorporated into SQL queries. The CVSS 4.0 vector indicates adjacent network access (AV:A) is required, meaning attackers must be on the same network segment as the device. The CPE identifier cpe:2.3:o:microchip:timeprovider_4100_firmware confirms this is a firmware-level vulnerability in the device's operating system. SQL injection vulnerabilities in embedded timing infrastructure are particularly concerning as these devices often serve as authoritative time sources for entire network segments, and integrity compromise could cascade to dependent systems relying on accurate time synchronization.
RemediationAI
Upgrade Microchip TimeProvider 4100 firmware to version 2.5 or later, which addresses the SQL injection vulnerability. Obtain the patched firmware from Microchip's official security advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-sql-command-injection-47902. Follow vendor-provided upgrade procedures carefully as timing infrastructure requires careful change management to avoid service disruption. Until patching is completed, implement network segmentation to restrict adjacent network access to the TimeProvider 4100 management interfaces, enforce strong authentication for all administrative accounts (the vulnerability requires PR:L authenticated access), monitor SQL query logs for injection attempts, and apply principle of least privilege to limit which accounts can interact with database-backed management functions. Review and harden adjacent network access controls to ensure only authorized administrative systems can reach the device's management plane.
More in Timeprovider 4100 Firmware
View allImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Inform
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip TimeProv
OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated atta
OS command injection in Microchip TimeProvider 4100 Grandmaster allows authenticated adjacent network attackers to execu
Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.0 before 2
Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP
Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today