{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-47904","assignerOrgId":"dc3f6da9-85b5-4a73-84a2-2ec90b40fca5","state":"PUBLISHED","assignerShortName":"Microchip","dateReserved":"2025-05-13T19:24:53.452Z","datePublished":"2026-02-24T15:34:20.905Z","dateUpdated":"2026-03-31T10:39:23.425Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Time Provider 4100","vendor":"Microchip","versions":[{"lessThan":"2.5","status":"affected","version":"0","versionType":"semver"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"User knowledge of the decryption passwords and upgrade package structure.<br>"}],"value":"User knowledge of the decryption passwords and upgrade package structure."}],"credits":[{"lang":"en","type":"finder","value":"Dario Emilio Bertani"},{"lang":"en","type":"finder","value":"Raffaele Bova"},{"lang":"en","type":"finder","value":"Andrea Sindoni"},{"lang":"en","type":"finder","value":"Simone Bossi"},{"lang":"en","type":"finder","value":"Antonio Carriero"},{"lang":"en","type":"finder","value":"Marco Manieri"},{"lang":"en","type":"finder","value":"Vito Pistillo"},{"lang":"en","type":"finder","value":"Davide Renna"},{"lang":"en","type":"finder","value":"Manuel Leone"},{"lang":"en","type":"finder","value":"Massimiliano Brolli"},{"lang":"en","type":"reporter","value":"TIM Security Red Team Research (TIM S.p.A)"}],"datePublic":"2026-02-18T23:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.<p>This issue affects Time Provider 4100: before 2.5.</p>"}],"value":"Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5."}],"impacts":[{"capecId":"CAPEC-533","descriptions":[{"lang":"en","value":"CAPEC-533 Malicious Manual Software Update"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"LOCAL","baseScore":5.7,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-494","description":"CWE-494 Download of Code Without Integrity Check","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"dc3f6da9-85b5-4a73-84a2-2ec90b40fca5","shortName":"Microchip","dateUpdated":"2026-03-31T10:39:23.425Z"},"references":[{"tags":["vendor-advisory"],"url":"https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-unsigned-upgrade-vulnerability"},{"tags":["technical-description"],"url":"https://www.gruppotim.it/en/footer/TIM-red-team.html"}],"source":{"advisory":"PSIRT-105","discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2025-04-14T22:00:00.000Z","value":"Reported"}],"title":"Unsigned upgrade package","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Upgrades are only available on a separate management port which should \nnot be connected to an untrusted network.  ACLs are available to further\n restrict access to only trusted addresses.\n\n<br>"}],"value":"Upgrades are only available on a separate management port which should \nnot be connected to an untrusted network.  ACLs are available to further\n restrict access to only trusted addresses."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-26T19:52:08.415815Z","id":"CVE-2025-47904","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T19:53:24.404Z"}}]}}