Description
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.
Published: 2026-03-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply patch
AI Analysis

Impact

Microchip Time Provider 4100 firmware before version 2.5.0 uses hard‑coded passwords to decrypt upgrade images, allowing a malicious actor to craft a forged update that will be accepted and installed by the device. This flaw could lead to arbitrary code execution, data tampering, or denial of service on the compromised hardware. The weakness is categorized as CWE‑798 (Use of Hard‑coded Credentials).

Affected Systems

The vulnerability affects Microchip Time Provider 4100 devices running firmware versions earlier than 2.5.0; newer releases contain the fix.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity, and no EPSS value is available. The flaw is not listed in the CISA KEV catalog. Exploitation requires access to the device’s upgrade interface, which operates over a separate management port. If that port is exposed to an untrusted network, an attacker can hijack the upgrade flow and push malicious firmware. When restricted to a trusted environment and protected by ACLs, the risk is greatly reduced, but the fundamental vulnerability remains until the firmware is updated.

Generated by OpenCVE AI on March 28, 2026 at 12:21 UTC.

Remediation

Vendor Workaround

Upgrades are only available on a separate management port which should not be connected to an untrusted network. ACLs are available to further restrict access to only trusted addresses.

OpenCVE Recommended Actions

  • Update the device to firmware version 2.5.0 or later, which removes the hard‑coded decryption passwords.
  • If an update is not possible, isolate the upgrade management port so it is not reachable from untrusted networks.
  • Configure ACLs on the management port to allow connections only from trusted IP addresses.
  • Verify that the device is running the patched firmware version before performing any further operations.
  • Contact Microchip for additional guidance if the device cannot be upgraded or reconfigured.

Generated by OpenCVE AI on March 28, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.
Title Hardcoded Upgrade Decryption Passwords
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2026-03-28T10:58:29.620Z

Reserved: 2025-08-26T17:59:09.578Z

Link: CVE-2025-9497

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-28T11:16:35.337

Modified: 2026-03-28T11:16:35.337

Link: CVE-2025-9497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:32:36Z

Weaknesses