Description
The GridTime 3000 GNSS Time Server has an open redirect vulnerability in the password change form submission.

This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
Published: 2026-06-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GridTime 3000 GNSS Time Server contains a CWE‑601 open redirect flaw in its password change form submission. An attacker can supply a crafted redirectUrl parameter that will cause the server to redirect a user’s browser to an arbitrary, potentially malicious site. This does not provide direct code execution or data disclosure, but it enables phishing or credential‑stealing attacks by luring users to spoofed interfaces.

Affected Systems

The flaw affects Microchip GridTime 3000 GNSS Time Server firmware versions 1.0r0.03 through 1.1r0.0 inclusive. Newer firmware starting from 1.2r0.0 has improved parameter sanitization that validates redirectUrl before execution.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to trick a legitimate user into submitting the password change form, or to have access to the web interface. Once the redirectUrl is set, the user’s browser is automatically redirected to the attacker‑controlled site. The lack of a formally published exploit may reduce immediate risk, but the possible phishing impact justifies prompt remediation.

Generated by OpenCVE AI on June 19, 2026 at 20:02 UTC.

Remediation

Vendor Solution

Upgrade GridTime 3000 GNSS Time Server to the latest firmware As of the firmware release 1.2r0.0, parameter sanitization has been improved to validate the redirectUrl before execution.

OpenCVE Recommended Actions

  • Upgrade GridTime 3000 GNSS Time Server to firmware 1.2r0.0 or later, which applies input validation to redirectUrl.
  • If an upgrade is not immediately feasible, restrict or block the redirectUrl parameter at the network perimeter or disable the password reset function to prevent the flaw from being exploited.
  • Monitor authentication logs and network traffic for anomalous redirect patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on June 19, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description The GridTime 3000 GNSS Time Server has an open redirect vulnerability in the password change form submission. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0.
Title Open Redirect Vulnerability in Password Reset Submission in GridTime™ 3000 GNSS Time Server
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2026-06-19T15:48:02.931Z

Reserved: 2026-06-18T14:15:26.621Z

Link: CVE-2026-12622

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')