Description
Missing Authentication for Critical Function vulnerability in Microchip TimePictra allows Configuration/Environment Manipulation.This issue affects TimePictra: from 11.0 through 11.3 SP2.
Published: 2026-02-28
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Access
Action: Control Access
AI Analysis

Impact

Microchip TimePictra suffers from a missing authentication check for a critical configuration function, which permits an attacker to modify system settings and the operating environment. The vulnerability can enable unauthorized manipulation of device behavior, potentially compromising device integrity and availability. The weakness is identified as CWE-306, indicating a missing authentication flaw.

Affected Systems

The affected product is Microchip TimePictra, versions 11.0 through 11.3 SP2. Users running these releases are susceptible to the authentication bypass and may be able to alter configuration and environment settings without proper credentials.

Risk and Exploitability

The CVSS score is 9.3, classifying the issue as critical. The EPSS score is less than 1%, suggesting limited current exploitation activity, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the web application interface that offers the configuration functionality; an attacker would need network access to the device’s web server to exploit the flaw. If exploited, an attacker could gain unauthorized access to modify critical settings, which could lead to service disruption or further compromise of the embedded system.

Generated by OpenCVE AI on April 16, 2026 at 15:06 UTC.

Remediation

Vendor Workaround

Control access to the web application

OpenCVE Recommended Actions

  • Apply the vendor patch when one becomes available
  • Configure network access controls to restrict connection to the TimePictra web application
  • Limit or disable the affected configuration function if possible
  • Monitor system logs for unauthorized configuration changes

Generated by OpenCVE AI on April 16, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microchip:timepictra:*:*:*:*:*:*:*:*
cpe:2.3:a:microchip:timepictra:11.3:sp1:*:*:*:*:*:*
cpe:2.3:a:microchip:timepictra:11.3:sp2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Mon, 02 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Microchip
Microchip timepictra
Vendors & Products Microchip
Microchip timepictra

Sat, 28 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authentication for Critical Function vulnerability in Microchip TimePictra allows Configuration/Environment Manipulation.This issue affects TimePictra: from 11.0 through 11.3 SP2.
Title TimePictra Authentication Bypass Vulnerability
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Microchip Timepictra
cve-icon MITRE

Status: PUBLISHED

Assigner: Microchip

Published:

Updated: 2026-03-02T15:23:13.286Z

Reserved: 2026-02-20T05:31:04.082Z

Link: CVE-2026-2844

cve-icon Vulnrichment

Updated: 2026-03-02T15:22:45.274Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T12:16:37.713

Modified: 2026-03-10T14:34:17.570

Link: CVE-2026-2844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses