We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here
Cross-reference search

PSIRT-147: GridTime™ 3000 GNSS Time Server Open Redirect

Vulnerability Details

Open Redirect Vulnerability in Password Reset Submission in GridTime™ 3000 GNSS Time Server

An open redirect vulnerability in the GridTime 3000 (password reset form) allows redirection of an arbitrary URL when submitting the password change form, allowing for redirection to an uncontrolled URL. This issue affects GridTime 3000: from 1.0r0.03 before 1.2r0.0.

CWE-601

Date of Disclosure: 06/10/2026

Affected Product:  GridTime 3000 GNSS Time Server

  • Vulnerability Type: Open redirectUrl parameter
  • CVE Identifier: CVE-2026-12622
  • CVSS Score:  CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
    CVSS 4.0 Score: 5.3 / Medium 
  • Vulnerability Description:
    • The GridTime 3000 GNSS Time Server has an open redirect vulnerability in the password change form submission
  • Affected Versions: 
    • Firmware 1.0r0.03 through 1.1r0.0
  • Vulnerability Status: 
    • Resolved in firmware release 1.2r0.0

Risk Assessment

Exploitation of the vulnerability allows an attacker with valid credentials to craft malicious URLs containing a redirectUrl to an untrusted site.

Mitigation

Upgrade GridTime 3000 GNSS Time Server to the latest firmware

Patch/Release Information

As of the firmware release 1.2r0.0, parameter sanitization has been improved to validate the redirectUrl before execution.

Recommendations

It is strongly recommended that all customers upgrade GridTime 3000 GNSS Time Server to firmware version 1.2r0.0 or newer.

Live Chat

Need Help?

Privacy Policy