Login Sign Up

CVE-2025-47904

4.1 MEDIUM

📋 TL;DR

Microchip Time Provider 4100 devices before version 2.5 allow attackers to upload malicious firmware updates without cryptographic verification. This affects organizations using these time synchronization devices in their networks. Attackers with network access can compromise device integrity.

💻 Affected Systems

Products:
  • Microchip Time Provider 4100
Versions: All versions before 2.5
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable in default configuration when management interface is accessible.

📦 What is this software?

Timeprovider 4100 Firmware by Microchip

View all CVEs affecting Timeprovider 4100 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing time manipulation across network, credential theft, or use as pivot point for lateral movement.

🟠

Likely Case

Malicious firmware installation enabling persistent backdoor, time spoofing attacks, or denial of service.

🟢

If Mitigated

Limited to authenticated attackers with network access to management interface.

🌐 Internet-Facing: MEDIUM - Requires direct internet exposure of management interface, which is uncommon in proper deployments.
🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this to compromise time infrastructure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires network access to management interface and ability to upload firmware file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5

Vendor Advisory: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-unsigned-upgrade-vulnerability

Restart Required: Yes

Instructions:

1. Download firmware version 2.5 from Microchip support portal. 2. Log into device web interface. 3. Navigate to System > Firmware Upgrade. 4. Upload the new firmware file. 5. Wait for upgrade to complete and device to reboot.

🔧 Temporary Workarounds

Network segmentation

all

Restrict access to device management interface to authorized administrators only.

Disable remote management

all

Use local console access only for device management.

🧯 If You Can't Patch

  • Implement strict network ACLs allowing only trusted IPs to access management interface
  • Monitor for unauthorized firmware upload attempts in network logs

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface under System > Status or via SSH using 'show version' command.

Check Version:

ssh admin@device-ip 'show version'

Verify Fix Applied:

Confirm firmware version shows 2.5 or higher in System > Status page.

📡 Detection & Monitoring

Log Indicators:

  • Firmware upgrade events from unauthorized IPs
  • Multiple failed upgrade attempts
  • Unexpected system reboots

Network Indicators:

  • HTTP POST requests to /cgi-bin/firmware_upload.cgi from unexpected sources
  • Unusual traffic to device management port (default 80/443)

SIEM Query:

source="timeprovider-logs" event_type="firmware_upgrade" AND NOT src_ip IN (allowed_admin_ips)

📊 Metadata

CVE ID: CVE-2025-47904
CVSS v3 Score: 4.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-494
Published: February 24, 2026
Last Updated: March 3, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47904, you might also want to check these:

CVE-2020-1210 9.9

This is a critical remote code execution vulnerability in Microsoft SharePoint that allows attackers...

Same vulnerability type (CWE-494)
CVE-2020-1595 9.9

CVE-2020-1595 is a critical remote code execution vulnerability in Microsoft SharePoint where improp...

Same vulnerability type (CWE-494)
CVE-2025-40604 9.8

This critical vulnerability in SonicWall Email Security appliances allows attackers with access to v...

Same vulnerability type (CWE-494)