216.73.217.172

CVE-2025-54808

· Published 23/10/2025 19:15 · Modified 23/10/2025 19:15

Labels: CVE-2025-54808 2025-10-23CVE-2025-54808CWE-522[email protected]

Essential information

Published
23/10/2025 19:15
Modified
23/10/2025 19:15
Author
Creator
CVSS
7.3 HIGH (v3) 7.3 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 stores authentication tokens in a file located in the system's temporary directory (/tmp) on the host machine. This directory is typically world-readable, allowing any local user or application to access the token. If the token is leaked (e.g., via malware infection or other local exploit), and remote access is enabled, it can be used to establish unauthorized remote connections to the sequencer. Remote access must be enabled for remote exploitation to succeed. This may occur either because the user has enabled remote access for legitimate operational reasons or because malware with elevated privileges (e.g., sudo access) enables it without user consent. This vulnerability can be chained with remote access capabilities to generate a developer token from a remote device. Developer tokens can be created with arbitrary expiration dates, enabling persistent access to the sequencer and bypassing standard authentication mechanisms.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
oxford nanopore technologies / minknow cpe:2.3:a:oxford_nanopore_technologies:minknow:<24.11:*:*:*:*:*:*:*

References