Skip to main content

Time Provider 4100 EUVDEUVD-2025-209112

| CVE-2025-9497 MEDIUM
Use of Hard-coded Credentials (CWE-798)
2026-03-28 Microchip GHSA-gv5m-4fg8-r764
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.5.0
EUVD ID Assigned
Mar 28, 2026 - 11:15 euvd
EUVD-2025-209112
Analysis Generated
Mar 28, 2026 - 11:15 vuln.today
CVE Published
Mar 28, 2026 - 10:58 nvd
MEDIUM 5.5

DescriptionCVE.org

Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.

AnalysisAI

Microchip Time Provider 4100 contains hard-coded credentials used for software update decryption, allowing malicious actors to craft and deploy unauthorized firmware updates without detection. Versions prior to 2.5.0 are affected. An attacker with local or network access to the device can leverage these credentials to bypass authentication controls during the manual software update process, potentially gaining full control of the time synchronization infrastructure.

Technical ContextAI

This vulnerability exploits the use of hard-coded credentials (CWE-798) embedded in the Microchip Time Provider 4100 firmware or update mechanism. The Time Provider 4100 is a network time protocol (NTP) appliance responsible for distributing precise time across enterprise networks. The device implements firmware update functionality that uses cryptographic decryption to verify update authenticity and integrity. However, the decryption keys or passwords are statically embedded in the product, rendering the authentication mechanism ineffective against any attacker with knowledge of these credentials. This eliminates the intended security boundary between authorized and unauthorized updates, converting a security-critical control into a false sense of protection.

RemediationAI

Vendor-released patch: upgrade Microchip Time Provider 4100 to version 2.5.0 or later. This patched version removes or rotates the hard-coded credentials and implements dynamic credential management for the firmware update mechanism. Organizations unable to upgrade immediately should restrict network access to Time Provider 4100 devices via firewall rules, limiting update traffic to authenticated administrative networks only, and monitor for unauthorized firmware update attempts. Consult the Microchip security advisory for detailed upgrade procedures and any interim security measures.

Share

EUVD-2025-209112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy