CVE-2024-9054
Published: 04 October 2024
Summary
CVE-2024-9054 is a high-severity OS Command Injection (CWE-78) vulnerability in Microchip Timeprovider 4100 Firmware. Its CVSS base score is 8.5 (High).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-9054 is an OS command injection vulnerability, also involving exposure of sensitive information, that affects the configuration modules of the Microchip TimeProvider 4100 grandmaster clock. The flaw stems from improper neutralization of special elements in OS commands (CWE-78) and impacts all versions from 1.0 up to but not including 2.4.7. It carries a CVSS 4.0 score of 8.5, reflecting network attack vectors with low complexity and low privileges required.
An attacker with limited privileges and the ability to supply or modify configuration files can inject arbitrary operating system commands. Successful exploitation grants the ability to execute commands on the device, potentially leading to full control over the affected TimeProvider 4100 unit and disclosure of sensitive configuration or operational data.
Vendor guidance indicates that the issue is resolved in firmware version 2.4.7 and later. Microchip has published details on responsible disclosure for this remote code execution path through configuration files, while independent analysis from Gruppo TIM's red team highlights the practical impact on deployed appliances. The associated EPSS score reached a peak of 0.3259 before receding to its current value of 0.2457.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49694
Vulnerability details
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.