CVE-2025-47902
HIGHCVSS Vector
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip Time Provider 4100 allows SQL Injection.This issue affects Time Provider 4100: before 2.5.
Analysis
SQL injection in Microchip TimeProvider 4100 Grandmaster (firmware <2.5) allows adjacent network attackers with low-level privileges to achieve high integrity and availability impact across system and vulnerable components. EPSS exploitation probability is low (0.03%, 9th percentile) with no public exploit identified at time of analysis. Authentication requirements indicate PR:L (low privileges required) per CVSS vector. Attack complexity is low but requires present attack timing conditions (AT:P).
Technical Context
This vulnerability affects the Microchip TimeProvider 4100 Grandmaster, a precision time synchronization appliance used in critical telecommunications and industrial infrastructure. The flaw stems from CWE-89 (SQL Injection), where user-supplied input is improperly sanitized before being incorporated into SQL queries. The CVSS 4.0 vector indicates adjacent network access (AV:A) is required, meaning attackers must be on the same network segment as the device. The CPE identifier cpe:2.3:o:microchip:timeprovider_4100_firmware confirms this is a firmware-level vulnerability in the device's operating system. SQL injection vulnerabilities in embedded timing infrastructure are particularly concerning as these devices often serve as authoritative time sources for entire network segments, and integrity compromise could cascade to dependent systems relying on accurate time synchronization.
Affected Products
Microchip TimeProvider 4100 Grandmaster firmware versions prior to 2.5 are affected, identified by CPE cpe:2.3:o:microchip:timeprovider_4100_firmware:*:*:*:*:*:*:*:*. The TimeProvider 4100 is a precision timing device used for network synchronization in telecommunications, financial services, and industrial control environments. Microchip has published a dedicated security advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-sql-command-injection-47902 with detailed affected version information and remediation guidance.
Remediation
Upgrade Microchip TimeProvider 4100 firmware to version 2.5 or later, which addresses the SQL injection vulnerability. Obtain the patched firmware from Microchip's official security advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-sql-command-injection-47902. Follow vendor-provided upgrade procedures carefully as timing infrastructure requires careful change management to avoid service disruption. Until patching is completed, implement network segmentation to restrict adjacent network access to the TimeProvider 4100 management interfaces, enforce strong authentication for all administrative accounts (the vulnerability requires PR:L authenticated access), monitor SQL query logs for injection attempts, and apply principle of least privilege to limit which accounts can interact with database-backed management functions. Review and harden adjacent network access controls to ensure only authorized administrative systems can reach the device's management plane.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today