Cyber Resilience

CVE-2025-54304

Critical

Published: 04 December 2025

Published
04 December 2025
Modified
16 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 26.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54304 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Thermofisher Ion Torrent Onetouch 2 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-41 (Port and I/O Device Access).

Deeper analysis

CVE-2025-54304 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting Thermo Fisher Ion Torrent OneTouch 2 devices with part number INS1005527. The issue stems from an X11 display server that starts automatically when the device is powered on, listening on all network interfaces over TCP port 6000. By default, the X11 access control list permits connections only from 127.0.0.1 and 192.168.2.15. However, if the device is later connected to a network using DHCP and assigned a different IP address, the display server becomes accessible to other devices on the network, exposing sensitive information (CWE-200).

Any unauthenticated attacker with network access to the device can exploit this vulnerability with low complexity, requiring no privileges or user interaction. By connecting to the exposed X11 server on port 6000, an attacker can interact with the matchbox-desktop environment to spawn a terminal, achieving remote code execution with root privileges. This grants high confidentiality, integrity, and availability impacts, potentially allowing full device compromise.

No patches or mitigations are available, as the vulnerability affects products no longer supported by the maintainer. References point to Thermo Fisher user guides and product documentation, which describe system setup but do not address this issue or provide remediation steps. Security practitioners should isolate these legacy devices on segmented networks or air-gapped environments to prevent exposure.

EU & UK References

Vulnerability details

An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11…

more

access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability exposes an unauthenticated X11 display server on TCP port 6000 accessible over the network, enabling attackers to interact with the matchbox-desktop environment and spawn a root terminal for remote code execution, directly mapping to Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53963Same product: Thermofisher Ion Torrent Onetouch 2
CVE-2023-24010Shared CWE-200
CVE-2025-54307Same vendor: Thermofisher
CVE-2024-13796Shared CWE-200
CVE-2025-27784Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2026-42826Shared CWE-200
CVE-2025-24232Shared CWE-200
CVE-2026-4712Shared CWE-200
CVE-2024-48125Shared CWE-200

Affected Assets

thermofisher
ion torrent onetouch 2 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Boundary protection implements network firewalls or ACLs to block unauthorized access to TCP port 6000, preventing remote exploitation of the exposed X11 display server.

prevent

Restricts access to port 6000 at the host or device level, directly mitigating network connections to the vulnerable X11 server even if it binds to all interfaces.

prevent

Prohibits use of unsupported legacy components like the Ion Torrent OneTouch 2, eliminating exposure to this unpatched X11 configuration vulnerability.

References