CVE-2024-4760 is a medium-severity vulnerability affecting multiple Microchip microcontroller families, including SAM E70/S70/V70/V71, SAM G55, SAM 4C/4S/4N/4E, and SAM 3S/3N/3U series. The vulnerability arises from improper protection against voltage and clock glitches during the startup phase of the Embedded Flash Controller (EEFC) Non-Volatile Memory (NVM) controllers. Specifically, an attacker can induce a voltage glitch at startup, which bypasses the security bit that normally restricts access to the memory bus via the debug interface. This flaw allows unauthorized read and write access to the microcontroller’s memory, potentially exposing sensitive data or enabling malicious code injection. The vulnerability is classified under CWE-1247, which relates to insufficient protection against voltage and clock glitches. The CVSS 3.1 base score is 6.3 (medium), reflecting that exploitation requires physical proximity (attack vector: physical), high attack complexity, no privileges, and some user interaction. The impact on confidentiality, integrity, and availability is high if exploited, as attackers can fully access and manipulate the microcontroller’s memory contents. No known exploits are currently reported in the wild, and no patches have been published yet by Microchip. This vulnerability is particularly critical for embedded systems relying on these microcontrollers for secure operations, such as industrial control, automotive, medical devices, and critical infrastructure components. The attack requires physical access and precise timing to induce voltage glitches, making remote exploitation infeasible but raising concerns for devices deployed in physically accessible environments.

For European organizations, the impact of CVE-2024-4760 is significant in sectors that deploy Microchip SAME70 and related microcontrollers in embedded systems. These include industrial automation, automotive manufacturing, healthcare devices, and critical infrastructure such as energy and transportation systems. Successful exploitation could lead to unauthorized disclosure of sensitive information, manipulation of device behavior, or permanent device compromise, undermining operational integrity and safety. Given the physical access requirement, the threat is more acute in environments where devices are accessible to insiders or attackers with physical proximity, such as manufacturing floors, field installations, or service centers. The vulnerability could facilitate espionage, sabotage, or supply chain attacks, particularly in high-value targets. European organizations must consider this risk in their embedded device security assessments and supply chain risk management. The lack of patches increases exposure until mitigations or hardware revisions are available.

1. Restrict physical access to devices using affected Microchip microcontrollers to trusted personnel only, employing tamper-evident seals and secure enclosures. 2. Implement environmental monitoring to detect abnormal voltage or clock conditions indicative of glitching attempts. 3. Use hardware security modules or external secure elements to offload critical security functions away from vulnerable microcontrollers. 4. Employ layered security controls such as encrypted firmware, secure boot, and runtime integrity checks to limit the impact of memory access. 5. Monitor vendor communications closely for firmware updates or hardware revisions addressing this vulnerability and plan timely patching or device replacement. 6. Conduct security audits and penetration tests focusing on physical attack vectors and side-channel resistance. 7. For new designs, consider alternative microcontrollers with robust glitch resistance and certified security features. 8. Educate operational staff about the risks of physical tampering and enforce strict device handling policies.