Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-9054

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Published

2024-10-04T20:15:07.587

Last Modified

2024-10-17T15:19:32.803

Status

Analyzed

Source

dc3f6da9-85b5-4a73-84a2-2ec90b40fca5

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-78
CWE-200
Type: Primary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	microchip	timeprovider_4100_firmware	< 2.4.7	Yes
Hardware	microchip	timeprovider_4100	-	No

References

https://www.gruppotim.it/it/footer/red-team.html Exploit, Third Party Advisory (dc3f6da9-85b5-4a73-84a2-2ec90b40fca5)
https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file Vendor Advisory (dc3f6da9-85b5-4a73-84a2-2ec90b40fca5)