CVE-2024-9054

Remote code Execution inTimeProvider® 4100

CVSS 8.5 HIGHEPSS 14.6%CWE-78

Vexday Risk Score

46Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.5EPSS 14.6%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

04 Oct 2024Published on NVD

04 Apr 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:M/U:Amber

Affected products

Microchip · TimeProvider 4100

public PoCs found — 1

exploitdbwww.exploit-db.com/exploits/52119unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.gruppotim.it/it/footer/red-team.html https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file