Cyber Resilience

CVE-2025-53963

Critical

Published: 04 December 2025

Published
04 December 2025
Modified
16 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53963 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Thermofisher Ion Torrent Onetouch 2 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-22 (Unsupported System Components).

Deeper analysis

CVE-2025-53963 is a vulnerability in Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices, which run an SSH server accessible over the default port 22. The root account uses a weak default password of "ionadmin," and no password change policy is enforced for this account. This issue falls under CWE-521 (Weak Password Requirements) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It only affects products that are no longer supported by the maintainer.

An attacker with network connectivity to the device can exploit this vulnerability by authenticating to the SSH server as root using the default password "ionadmin," enabling full root-level code execution on the device. No special privileges, user interaction, or complex conditions are required for exploitation.

References provided include Thermo Fisher product documentation such as the Ion OneTouch 2 System User Guide, Ion OneTouch 2 and Torrent Suite Software Product Guide, and OneTouch 2 Specification Sheet, but no vendor advisories or patches are specified. Given that the affected products are no longer supported, no mitigations such as updates or enforced password policies are available from the maintainer.

EU & UK References

Vulnerability details

An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for…

more

the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability involves a weak default password for the root account on an exposed SSH server, directly enabling use of default accounts (T1078.001) for remote root access and code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-54304Same product: Thermofisher Ion Torrent Onetouch 2
CVE-2025-12285Shared CWE-521
CVE-2026-25715Shared CWE-521
CVE-2025-54307Same vendor: Thermofisher
CVE-2025-63747Shared CWE-521
CVE-2025-22390Shared CWE-521
CVE-2025-55269Shared CWE-521
CVE-2026-33771Shared CWE-521
CVE-2025-27663Shared CWE-521
CVE-2025-25211Shared CWE-521

Affected Assets

thermofisher
ion torrent onetouch 2 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires changing default authenticators prior to first use and ensuring sufficient strength of mechanism, directly mitigating the weak default root password 'ionadmin' and lack of password change enforcement.

prevent

Prohibits use of unsupported system components like these end-of-life devices unless compensated, preventing exploitation of unpatched vulnerabilities including this weak password issue.

AC-17 Remote Access partial match
prevent

Establishes usage restrictions and security safeguards such as multifactor authentication for remote access like SSH on port 22, limiting network-based root exploitation.

References