We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X

Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here

Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here

Complete your profile to access more resources. Update Here

PSIRT-104: TimeProvider™ 4100 Hardcoded Upgrade Decryption Passwords

Vulnerability Details

Date of Disclosure: 02/25/2026

Affected Product: TimeProvider™ 4100 GNSS GrandMaster

Vulnerability Type: Hardcoded upgrade decryption passwords - CWE-798
CVE Identifier: CVE-2025-9497
CVSS Score: 5.5 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P
Vulnerability Description:
- It is possible to extract the passwords used to decrypt the configuration file and the filesystem packet
Affected Versions:
- All firmware versions
Vulnerability Status:
- To be addressed in a future version

Risk Assessment

Exploiting this vulnerability requires an attacker to have penetrated the unit and extracted the root password and gained total access to system, which is a complex and expensive attack.

Mitigation

Upgrades are only available on a separate management port which should not be connected to an untrusted network. ACLs are available to further restrict access to only trusted addresses.

Patch/Release Information

May be addressed in a future release

Acknowledgements

Reported by Dario Emilio Bertani, Raffaele Bova, Andrea Sindoni, Simone Bossi, Antonio Carriero, Marco Manieri, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli and TIM Security Red Team Research

Recommendations

It is strongly recommended that all customers upgrade to the latest firmware.