CVE-2025-47900
Published: 20 October 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-47900 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting the Microchip Time Provider 4100. This issue impacts versions of Time Provider 4100 prior to 2.5. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An attacker requires low privileges (PR:L) to exploit this vulnerability over the network (AV:N) with low attack complexity and no user interaction. Successful exploitation allows arbitrary OS command injection, enabling high levels of impact on confidentiality, integrity, and availability (C:H/I:H/A:H) within the affected system.
Mitigation details are available in vendor-provided resources, including Microchip's guidance on the TimeProvider 4100 Grandmaster Remote Command Execution at https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-remote-command-execution and the TIM Red Team disclosure at https://www.gruppotim.it/en/footer/TIM-red-team.html. Updating to Time Provider 4100 version 2.5 or later addresses the issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables remote exploitation of a network service for arbitrary OS command injection (T1210), directly facilitating Unix Shell command execution (T1059.004) on the affected embedded device.