CVE-2024-9054

HIGH

Microchip Timeprovider 4100 Firmware < 2.4.7 - OS Command Injection

Title source: rule

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Exploits (1)

exploitdb WORKING POC

by Armando Huesca Prida · remotehardware

https://www.exploit-db.com/exploits/52119

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file

[Exploit, Third Party Advisory] https://www.gruppotim.it/it/footer/red-team.html

Scores

CVSS v3 8.8

EPSS 0.3259

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

microchip/timeprovider_4100_firmware 1.0 - 2.4.7

Published Oct 04, 2024

Tracked Since Feb 18, 2026