{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-9497","assignerOrgId":"dc3f6da9-85b5-4a73-84a2-2ec90b40fca5","state":"PUBLISHED","assignerShortName":"Microchip","dateReserved":"2025-08-26T17:59:09.578Z","datePublished":"2026-03-28T10:58:29.620Z","dateUpdated":"2026-04-01T13:55:03.527Z"},"containers":{"cna":{"providerMetadata":{"orgId":"dc3f6da9-85b5-4a73-84a2-2ec90b40fca5","shortName":"Microchip","dateUpdated":"2026-03-31T15:52:21.770Z"},"title":"Hardcoded Upgrade Decryption Passwords","datePublic":"2026-03-28T07:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-798","description":"CWE-798: Use of Hard-coded Credentials","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-533","descriptions":[{"lang":"en","value":"CAPEC-533 Malicious Manual Software Update"}]}],"affected":[{"vendor":"Microchip","product":"Time Provider 4100","versions":[{"status":"affected","version":"0","lessThan":"2.5.0","versionType":"semver"}],"defaultStatus":"unknown"}],"descriptions":[{"lang":"en","value":"Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.","supportingMedia":[{"type":"text/html","base64":false,"value":"Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.<p>This issue affects Time Provider 4100: before 2.5.0.</p>"}]}],"references":[{"url":"https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-hardcoded-upgrade-decryption-passwords","tags":["vendor-advisory"]},{"url":"https://www.gruppotim.it/en/footer/TIM-red-team.html","tags":["technical-description"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","subConfidentialityImpact":"LOW","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subAvailabilityImpact":"LOW","exploitMaturity":"PROOF_OF_CONCEPT","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":5.5,"vectorString":"CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:P"}}],"configurations":[{"lang":"en","value":"User knowledge of the decryption passwords and upgrade package structure.","supportingMedia":[{"type":"text/html","base64":false,"value":"User knowledge of the decryption passwords and upgrade package structure.<br>"}]}],"workarounds":[{"lang":"en","value":"Upgrades are only available on a separate management port which \nshould not be connected to an untrusted network.  ACLs are available to \nfurther restrict access to only trusted addresses.","supportingMedia":[{"type":"text/html","base64":false,"value":"<div><div>\n</div>\n\n    \n</div>\n        \n        <div>\n            <div>\n                <div>\n                    <div><div>\n\n    <p>Upgrades are only available on a separate management port which \nshould not be connected to an untrusted network.  ACLs are available to \nfurther restrict access to only trusted addresses.</p>\n\n</div></div></div></div></div>"}]}],"credits":[{"lang":"en","value":"Dario Emilio Bertani","type":"finder"},{"lang":"en","value":"Raffaele Bova","type":"finder"},{"lang":"en","value":"Andrea Sindoni","type":"finder"},{"lang":"en","value":"Simone Bossi","type":"finder"},{"lang":"en","value":"Antonio Carriero","type":"finder"},{"lang":"en","value":"Marco Manieri","type":"finder"},{"lang":"en","value":"Vito Pistillo","type":"finder"},{"lang":"en","value":"Davide Renna","type":"finder"},{"lang":"en","value":"Manuel Leone","type":"finder"},{"lang":"en","value":"Massimiliano Brolli","type":"finder"},{"lang":"en","value":"TIM Security Red Team Research (TIM S.p.A)","type":"reporter"}],"source":{"advisory":"PSIRT-104","discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-04-01T13:54:38.708217Z","id":"CVE-2025-9497","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-01T13:55:03.527Z"}}]}}