CVE-2025-9497

Critical

Published: 28 March 2026

Published

28 March 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9497 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Gruppotim (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates proper management and protection of authenticators, directly preventing the embedding and use of hard-coded credentials for unauthorized software updates.

SI-7 Software, Firmware, and Information Integrity good match

prevent

SI-7 requires integrity verification of software and firmware, blocking installation of malicious updates performed via exploited hard-coded credentials.

CM-14 Signed Components good match

prevent

CM-14 requires digitally signed software and firmware components from vendors, ensuring only authentic updates can be applied despite compromised decryption credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Hard-coded credentials enable remote unauthenticated exploitation of a public-facing device for malicious updates and full compromise (T1190); directly matches default/embedded account abuse (T1078.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.

Deeper analysisAI

CVE-2025-9497 is a Use of Hard-coded Credentials vulnerability (CWE-798) in the Microchip Time Provider 4100, enabling malicious manual software updates. The issue affects Time Provider 4100 versions prior to 2.5.0. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact network-based exploitation without authentication or user interaction.

Remote attackers without privileges can exploit this vulnerability over the network with low complexity by leveraging the hard-coded credentials to perform unauthorized manual software updates. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full compromise of the affected device.

Microchip's advisory on the Time Provider 4100 highlights the hard-coded upgrade decryption passwords and provides guidance on reporting vulnerabilities, with mitigation achieved by updating to version 2.5.0 or later. Additional context from the TIM Red Team references the discovery.