CVE-2025-9497

| EUVD-2025-209112 MEDIUM
2026-03-28 Microchip GHSA-gv5m-4fg8-r764
5.5
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 11:15 vuln.today
EUVD ID Assigned
Mar 28, 2026 - 11:15 euvd
EUVD-2025-209112
CVE Published
Mar 28, 2026 - 10:58 nvd
MEDIUM 5.5

Tags

Authentication Bypass

Description

Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.

Analysis

Microchip Time Provider 4100 contains hard-coded credentials used for software update decryption, allowing malicious actors to craft and deploy unauthorized firmware updates without detection. Versions prior to 2.5.0 are affected. An attacker with local or network access to the device can leverage these credentials to bypass authentication controls during the manual software update process, potentially gaining full control of the time synchronization infrastructure.

Technical Context

This vulnerability exploits the use of hard-coded credentials (CWE-798) embedded in the Microchip Time Provider 4100 firmware or update mechanism. The Time Provider 4100 is a network time protocol (NTP) appliance responsible for distributing precise time across enterprise networks. The device implements firmware update functionality that uses cryptographic decryption to verify update authenticity and integrity. However, the decryption keys or passwords are statically embedded in the product, rendering the authentication mechanism ineffective against any attacker with knowledge of these credentials. This eliminates the intended security boundary between authorized and unauthorized updates, converting a security-critical control into a false sense of protection.

Affected Products

Microchip Time Provider 4100 versions before 2.5.0 are affected. The vulnerability impacts all instances of this NTP time synchronization appliance deployed with firmware versions prior to the 2.5.0 release. Organizations using Time Provider 4100 devices in production environments should consult the Microchip advisory at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-hardcoded-upgrade-decryption-passwords for precise version scope and compatibility information.

Remediation

Vendor-released patch: upgrade Microchip Time Provider 4100 to version 2.5.0 or later. This patched version removes or rotates the hard-coded credentials and implements dynamic credential management for the firmware update mechanism. Organizations unable to upgrade immediately should restrict network access to Time Provider 4100 devices via firewall rules, limiting update traffic to authenticated administrative networks only, and monitor for unauthorized firmware update attempts. Consult the Microchip security advisory for detailed upgrade procedures and any interim security measures.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-9497 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy