Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.
AnalysisAI
Microchip Time Provider 4100 contains hard-coded credentials used for software update decryption, allowing malicious actors to craft and deploy unauthorized firmware updates without detection. Versions prior to 2.5.0 are affected. An attacker with local or network access to the device can leverage these credentials to bypass authentication controls during the manual software update process, potentially gaining full control of the time synchronization infrastructure.
Technical ContextAI
This vulnerability exploits the use of hard-coded credentials (CWE-798) embedded in the Microchip Time Provider 4100 firmware or update mechanism. The Time Provider 4100 is a network time protocol (NTP) appliance responsible for distributing precise time across enterprise networks. The device implements firmware update functionality that uses cryptographic decryption to verify update authenticity and integrity. However, the decryption keys or passwords are statically embedded in the product, rendering the authentication mechanism ineffective against any attacker with knowledge of these credentials. This eliminates the intended security boundary between authorized and unauthorized updates, converting a security-critical control into a false sense of protection.
RemediationAI
Vendor-released patch: upgrade Microchip Time Provider 4100 to version 2.5.0 or later. This patched version removes or rotates the hard-coded credentials and implements dynamic credential management for the firmware update mechanism. Organizations unable to upgrade immediately should restrict network access to Time Provider 4100 devices via firewall rules, limiting update traffic to authenticated administrative networks only, and monitor for unauthorized firmware update attempts. Consult the Microchip security advisory for detailed upgrade procedures and any interim security measures.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209112
GHSA-gv5m-4fg8-r764