CVE-2025-53963
Published: 04 December 2025
Summary
CVE-2025-53963 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Thermofisher Ion Torrent Onetouch 2 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-22 (Unsupported System Components).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires changing default authenticators prior to first use and ensuring sufficient strength of mechanism, directly mitigating the weak default root password 'ionadmin' and lack of password change enforcement.
Prohibits use of unsupported system components like these end-of-life devices unless compensated, preventing exploitation of unpatched vulnerabilities including this weak password issue.
Establishes usage restrictions and security safeguards such as multifactor authentication for remote access like SSH on port 22, limiting network-based root exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves a weak default password for the root account on an exposed SSH server, directly enabling use of default accounts (T1078.001) for remote root access and code execution.
NVD Description
An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for…
more
the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-53963 is a vulnerability in Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices, which run an SSH server accessible over the default port 22. The root account uses a weak default password of "ionadmin," and no password change policy is enforced for this account. This issue falls under CWE-521 (Weak Password Requirements) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It only affects products that are no longer supported by the maintainer.
An attacker with network connectivity to the device can exploit this vulnerability by authenticating to the SSH server as root using the default password "ionadmin," enabling full root-level code execution on the device. No special privileges, user interaction, or complex conditions are required for exploitation.
References provided include Thermo Fisher product documentation such as the Ion OneTouch 2 System User Guide, Ion OneTouch 2 and Torrent Suite Software Product Guide, and OneTouch 2 Specification Sheet, but no vendor advisories or patches are specified. Given that the affected products are no longer supported, no mitigations such as updates or enforced password policies are available from the maintainer.
Details
- CWE(s)