PSIRT-102: TimeProvider® 4100 Grandmaster Remote Command Execution

Date of Disclosure: 10/16/2025

Affected Product: TimeProvider^® 4100 Grandmaster

• Vulnerability Type: Remote command execution (RCE)
• CVE Identifier: CVE-2025-47901
• CVSS Score: 8.9 (CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
• Vulnerability Description:
  • Authenticated users can execute arbitrary system commands through the management web interface.
• Affected Versions: 
  • Firmware through 2.4
• Vulnerability Status: 
  • Resolved in firmware release 2.5

Exploitation of the vulnerability could allow an attacker to execute commands on the system.

Do not expose the web interface on the separate management port to an untrusted network. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitation.

As of version 2.5, the parameter is sanitized before it is used.

Reported by Dario Emilio Bertani, Raffaele Bova, Andrea Sindoni, Simone Bossi, Antonio Carriero, Marco Manieri, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli, and TIM Security Red Team Research.

It is strongly recommended that all customers upgrade to version 2.5 or newer.