We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here

PSIRT-103: TimeProvider® 4100 Grandmaster SQL Command Injection

Vulnerability Details


Date of Disclosure: 10/16/2025

Affected Product: TimeProvider® 4100 Grandmaster

  • Vulnerability Type: SQL Injection
  • CVE Identifier: CVE-2025-47902
  • CVSS Score: 7.1 (CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H)
  • Vulnerability Description:
    • Authenticated users can execute a SQL Command Injection in the web management interface.
  • Affected Versions: 
    • Firmware through 2.4
  • Vulnerability Status: 
    • Resolved in firmware release 2.5

Risk Assessment


Exploitation of the vulnerability could allow an attacker to execute commands on the system.

Mitigation


Do not expose the web interface on the separate management port to an untrusted network. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploitation.

Patch/Release Information


As of version 2.5, the parameter is sanitized before it is used in the affected SQL query.

Acknowledgements


Reported by Dario Emilio Bertani, Raffaele Bova, Andrea Sindoni, Simone Bossi, Antonio Carriero, Marco Manieri, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli, and TIM Security Red Team Research.

Recommendations


It is strongly recommended that all customers upgrade to version 2.5 or newer.

Live Chat

Need Help?

Privacy Policy