Skip to main content

Timeprovider 4100 Firmware CVE-2025-47902

HIGH
SQL Injection (CWE-89)
2025-10-20 dc3f6da9-85b5-4a73-84a2-2ec90b40fca5
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 31, 2026 - 11:37 vuln.today
CVE Published
Oct 20, 2025 - 18:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip Time Provider 4100 allows SQL Injection.This issue affects Time Provider 4100: before 2.5.

AnalysisAI

SQL injection in Microchip TimeProvider 4100 Grandmaster (firmware <2.5) allows adjacent network attackers with low-level privileges to achieve high integrity and availability impact across system and vulnerable components. EPSS exploitation probability is low (0.03%, 9th percentile) with no public exploit identified at time of analysis. Authentication requirements indicate PR:L (low privileges required) per CVSS vector. Attack complexity is low but requires present attack timing conditions (AT:P).

Technical ContextAI

This vulnerability affects the Microchip TimeProvider 4100 Grandmaster, a precision time synchronization appliance used in critical telecommunications and industrial infrastructure. The flaw stems from CWE-89 (SQL Injection), where user-supplied input is improperly sanitized before being incorporated into SQL queries. The CVSS 4.0 vector indicates adjacent network access (AV:A) is required, meaning attackers must be on the same network segment as the device. The CPE identifier cpe:2.3:o:microchip:timeprovider_4100_firmware confirms this is a firmware-level vulnerability in the device's operating system. SQL injection vulnerabilities in embedded timing infrastructure are particularly concerning as these devices often serve as authoritative time sources for entire network segments, and integrity compromise could cascade to dependent systems relying on accurate time synchronization.

RemediationAI

Upgrade Microchip TimeProvider 4100 firmware to version 2.5 or later, which addresses the SQL injection vulnerability. Obtain the patched firmware from Microchip's official security advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-sql-command-injection-47902. Follow vendor-provided upgrade procedures carefully as timing infrastructure requires careful change management to avoid service disruption. Until patching is completed, implement network segmentation to restrict adjacent network access to the TimeProvider 4100 management interfaces, enforce strong authentication for all administrative accounts (the vulnerability requires PR:L authenticated access), monitor SQL query logs for injection attempts, and apply principle of least privilege to limit which accounts can interact with database-backed management functions. Review and harden adjacent network access controls to ensure only authorized administrative systems can reach the device's management plane.

CVE-2024-9054 HIGH POC
8.5 Oct 04

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Inform

CVE-2024-43687 HIGH POC
7.7 Oct 04

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T

CVE-2024-7801 MEDIUM POC
6.3 Oct 04

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip TimeProv

CVE-2025-47901 HIGH
8.9 Oct 20

OS command injection in Microchip TimeProvider 4100 Grandmaster (firmware versions before 2.5) allows authenticated atta

CVE-2025-47900 HIGH
8.9 Oct 20

OS command injection in Microchip TimeProvider 4100 Grandmaster allows authenticated adjacent network attackers to execu

CVE-2024-43685 HIGH
8.7 Oct 04

Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.0 before 2

CVE-2024-43684 HIGH
8.7 Oct 04

Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-

CVE-2024-43683 HIGH
8.7 Oct 04

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP

CVE-2025-47904 MEDIUM
5.7 Feb 24

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software

CVE-2024-43686 MEDIUM
5.4 Oct 04

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip T

Share

CVE-2025-47902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy