Description
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.
Published: 2026-03-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply patch
AI Analysis

Impact

Microchip Time Provider 4100 firmware before version 2.5.0 uses hard‑coded passwords to decrypt upgrade images, allowing a malicious actor to craft a forged update that will be accepted and installed by the device. This flaw could lead to arbitrary code execution, data tampering, or denial of service on the compromised hardware. The weakness is categorized as CWE‑798 (Use of Hard‑coded Credentials).

Affected Systems

The vulnerability affects Microchip Time Provider 4100 devices running firmware versions earlier than 2.5.0; newer releases contain the fix.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity, and no EPSS value is available. The flaw is not listed in the CISA KEV catalog. Exploitation requires access to the device’s upgrade interface, which operates over a separate management port. If that port is exposed to an untrusted network, an attacker can hijack the upgrade flow and push malicious firmware. When restricted to a trusted environment and protected by ACLs, the risk is greatly reduced, but the fundamental vulnerability remains until the firmware is updated.

Generated by OpenCVE AI on March 28, 2026 at 12:21 UTC.

Remediation

Vendor Workaround

Upgrades are only available on a separate management port which should not be connected to an untrusted network. ACLs are available to further restrict access to only trusted addresses.

OpenCVE Recommended Actions

  • Update the device to firmware version 2.5.0 or later, which removes the hard‑coded decryption passwords.
  • If an update is not possible, isolate the upgrade management port so it is not reachable from untrusted networks.
  • Configure ACLs on the management port to allow connections only from trusted IP addresses.
  • Verify that the device is running the patched firmware version before performing any further operations.
  • Contact Microchip for additional guidance if the device cannot be upgraded or reconfigured.

Generated by OpenCVE AI on March 28, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
References

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Microchip
Microchip timeprovider 4100
Vendors & Products Microchip
Microchip timeprovider 4100

Sat, 28 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.
Title Hardcoded Upgrade Decryption Passwords
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P'}

Subscriptions

Microchip Timeprovider 4100
cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2026-04-01T13:55:03.527Z

Reserved: 2025-08-26T17:59:09.578Z

Link: CVE-2025-9497

cve-icon Vulnrichment

Updated: 2026-04-01T13:54:57.440Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-28T11:16:35.337

Modified: 2026-04-01T14:16:25.980

Link: CVE-2025-9497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:44Z

Weaknesses