CVE-2025-54304
Published: 04 December 2025
Summary
CVE-2025-54304 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Thermofisher Ion Torrent Onetouch 2 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-41 (Port and I/O Device Access).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Boundary protection implements network firewalls or ACLs to block unauthorized access to TCP port 6000, preventing remote exploitation of the exposed X11 display server.
Restricts access to port 6000 at the host or device level, directly mitigating network connections to the vulnerable X11 server even if it binds to all interfaces.
Prohibits use of unsupported legacy components like the Ion Torrent OneTouch 2, eliminating exposure to this unpatched X11 configuration vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes an unauthenticated X11 display server on TCP port 6000 accessible over the network, enabling attackers to interact with the matchbox-desktop environment and spawn a root terminal for remote code execution, directly mapping to Exploitation of Remote Services (T1210).
NVD Description
An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11…
more
access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-54304 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting Thermo Fisher Ion Torrent OneTouch 2 devices with part number INS1005527. The issue stems from an X11 display server that starts automatically when the device is powered on, listening on all network interfaces over TCP port 6000. By default, the X11 access control list permits connections only from 127.0.0.1 and 192.168.2.15. However, if the device is later connected to a network using DHCP and assigned a different IP address, the display server becomes accessible to other devices on the network, exposing sensitive information (CWE-200).
Any unauthenticated attacker with network access to the device can exploit this vulnerability with low complexity, requiring no privileges or user interaction. By connecting to the exposed X11 server on port 6000, an attacker can interact with the matchbox-desktop environment to spawn a terminal, achieving remote code execution with root privileges. This grants high confidentiality, integrity, and availability impacts, potentially allowing full device compromise.
No patches or mitigations are available, as the vulnerability affects products no longer supported by the maintainer. References point to Thermo Fisher user guides and product documentation, which describe system setup but do not address this issue or provide remediation steps. Security practitioners should isolate these legacy devices on segmented networks or air-gapped environments to prevent exposure.
Details
- CWE(s)