CVE-2025-47904 - Vulnerability Details - OpenCVE

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.

Attack Vector Local

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-unsigned-upgrade-vulnerability

History

Tue, 24 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.
Title		Unsigned upgrade package
Weaknesses		CWE-494
References		https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-unsigned-upgrade-vulnerability
Metrics		cvssV4_0 `{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L'}`

MITRE

Status: PUBLISHED

Assigner: Microchip

Published: 2026-02-24T15:34:20.905Z

Updated: 2026-02-24T15:34:20.905Z

Reserved: 2025-05-13T19:24:53.452Z

Link: CVE-2025-47904

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-24T16:24:06.680

Modified: 2026-02-24T16:24:06.680

Link: CVE-2025-47904

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-47904", "assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5", "state": "PUBLISHED", "assignerShortName": "Microchip", "dateReserved": "2025-05-13T19:24:53.452Z", "datePublished": "2026-02-24T15:34:20.905Z", "dateUpdated": "2026-02-24T15:34:20.905Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Time Provider 4100", "vendor": "Microchip", "versions": [{"lessThan": "2.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "User knowledge of the decryption passwords and upgrade package structure.<br>"}], "value": "User knowledge of the decryption passwords and upgrade package structure."}], "credits": [{"lang": "en", "type": "finder", "value": "Dario Emilio Bertani"}, {"lang": "en", "type": "finder", "value": "Raffaele Bova"}, {"lang": "en", "type": "finder", "value": "Andrea Sindoni"}, {"lang": "en", "type": "finder", "value": "Simone Bossi"}, {"lang": "en", "type": "finder", "value": "Antonio Carriero"}, {"lang": "en", "type": "finder", "value": "Marco Manieri"}, {"lang": "en", "type": "finder", "value": "Vito Pistillo"}, {"lang": "en", "type": "finder", "value": "Davide Renna"}, {"lang": "en", "type": "finder", "value": "Manuel Leone"}, {"lang": "en", "type": "finder", "value": "Massimiliano Brolli"}, {"lang": "en", "type": "reporter", "value": "TIM Security Red Team Research (TIM S.p.A)"}], "datePublic": "2026-02-18T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.<p>This issue affects Time Provider 4100: before 2.5.</p>"}], "value": "Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5."}], "impacts": [{"capecId": "CAPEC-533", "descriptions": [{"lang": "en", "value": "CAPEC-533 Malicious Manual Software Update"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.7, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-494", "description": "CWE-494 Download of Code Without Integrity Check", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5", "shortName": "Microchip", "dateUpdated": "2026-02-24T15:34:20.905Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-unsigned-upgrade-vulnerability"}], "source": {"advisory": "PSIRT-105", "discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-04-14T22:00:00.000Z", "value": "Reported"}], "title": "Unsigned upgrade package", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrades are only available on a separate management port which should \nnot be connected to an untrusted network. ACLs are available to further\n restrict access to only trusted addresses.\n\n<br>"}], "value": "Upgrades are only available on a separate management port which should \nnot be connected to an untrusted network. ACLs are available to further\n restrict access to only trusted addresses."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5."}], "id": "CVE-2025-47904", "lastModified": "2026-02-24T16:24:06.680", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5", "type": "Secondary"}]}, "published": "2026-02-24T16:24:06.680", "references": [{"source": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5", "url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-unsigned-upgrade-vulnerability"}], "sourceIdentifier": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-494"}], "source": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5", "type": "Secondary"}]}