CVE-2024-9054

high-risk

Published 2024-10-04

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Do I need to act?

32.6% chance of exploitation in next 30 days

EPSS score — higher than 67% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

52119

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Timeprovider 4100 Firmware

Affected Vendors

Microchip

References (2)

Exploit https://www.gruppotim.it/it/footer/red-team.html

Vendor Advisory https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-...

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 16/34 · Moderate

Exposure 5/34 · Minimal