CVE-2024-7801

MEDIUM

Microchip TimeProvider 4100 Firmware 1.0-2.4.6 - Unauthenticated SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-7801. PoCs published by Armando Huesca Prida.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated SQL injection vulnerability in Microchip TimeProvider 4100 Grandmaster firmware (versions 1.0 through 2.4.7) via the 'channelId' parameter in the 'get_chart_data' endpoint. The PoC includes a crafted HTTP request with a malicious SQL payload to extract data from the SQLite database.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Microchip TimeProvider 4100 (Data plot modules) allows SQL Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Exploits (1)

exploitdb WORKING POC
by Armando Huesca Prida · remotehardware
https://www.exploit-db.com/exploits/52122

This exploit demonstrates an unauthenticated SQL injection vulnerability in Microchip TimeProvider 4100 Grandmaster firmware (versions 1.0 through 2.4.7) via the 'channelId' parameter in the 'get_chart_data' endpoint. The PoC includes a crafted HTTP request with a malicious SQL payload to extract data from the SQLite database.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Microchip TimeProvider 4100 Grandmaster (Firmware 1.0 - 2.4.7)
No auth needed
Prerequisites: Network access to the target device · Target device running vulnerable firmware version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0083
EPSS Percentile 52.8%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
microchip/timeprovider_4100_firmware 1.0 - 2.4.7
Published Oct 04, 2024
Tracked Since Feb 18, 2026