CVE-2026-12622 Microchip CVE debrief

Who should care

Organizations using GridTime 3000 GNSS Time Server versions 1.0r0.03 through 1.1r0.0 should be aware of this open redirect vulnerability. Given the MEDIUM severity and potential for phishing attacks, security teams and administrators responsible for these systems must evaluate their exposure and implement necessary mitigations.

Technical summary

CVE-2026-12622 is an open redirect vulnerability in the GridTime 3000 GNSS Time Server's password change form submission. The vulnerability exists in versions from 1.0r0.03 through 1.1r0.0. It has a CVSS score of 5.3 and is classified as CWE-601. The vulnerability allows attackers to redirect users to malicious sites, potentially leading to phishing attacks. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

MEDIUM priority due to potential phishing risk via open redirect.

Recommended defensive actions

• Inventory GridTime 3000 GNSS Time Server instances to identify affected versions.
• Review and apply vendor-supported remediation or patches for affected versions.
• Implement compensating controls such as web application firewalls to detect and prevent exploitation.
• Monitor for and track exceptions or anomalies in GridTime 3000 server logs.
• Educate users on the risks of phishing attacks and verify URL authenticity.

Evidence notes

The primary evidence for CVE-2026-12622 comes from the CVE record and NVD detail pages. The vulnerability affects GridTime 3000 versions 1.0r0.03 through 1.1r0.0. Evidence limits suggest verification of affected versions and open redirect vulnerability details is necessary. Defenders should verify information from official sources like Microchip's product security vulnerability reporting page.

Official resources