CVE-2025-9497 PUBLISHED

Hardcoded Upgrade Decryption Passwords

Assigner: Microchip
Reserved: 26.08.2025 Published: 28.03.2026 Updated: 28.03.2026

Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P
CVSS Score: 5.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	Low	Confidentiality	Low
Attack Complexity	High	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	Low	Availability	Low
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	Microchip
Product	Time Provider 4100
Versions	Default: unknown affected from 0 to 2.5.0 (excl.)

Affected Configurations

User knowledge of the decryption passwords and upgrade package structure.

Workarounds

Upgrades are only available on a separate management port which should not be connected to an untrusted network. ACLs are available to further restrict access to only trusted addresses.

Credits

Dario Emilio Bertani finder
Raffaele Bova finder
Andrea Sindoni finder
Simone Bossi finder
Antonio Carriero finder
Marco Manieri finder
Vito Pistillo finder
Davide Renna finder
Manuel Leone finder
Massimiliano Brolli finder
TIM Security Red Team Research (TIM S.p.A) reporter

References

https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-hardcoded-upgrade-decryption-passwords

Problem Types

CWE-798: Use of Hard-coded Credentials CWE

Impacts

CAPEC-533 Malicious Manual Software Update