CVE-2025-54808
HIGHDescription
Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 stores authentication tokens in a file located in the system's temporary directory (/tmp) on the host machine. This directory is typically world-readable, allowing any local user or application to access the token. If the token is leaked (e.g., via malware infection or other local exploit), and remote access is enabled, it can be used to establish unauthorized remote connections to the sequencer. Remote access must be enabled for remote exploitation to succeed. This may occur either because the user has enabled remote access for legitimate operational reasons or because malware with elevated privileges (e.g., sudo access) enables it without user consent. This vulnerability can be chained with remote access capabilities to generate a developer token from a remote device. Developer tokens can be created with arbitrary expiration dates, enabling persistent access to the sequencer and bypassing standard authentication mechanisms.
How to fix
No published remediation has been found for this vulnerability's affected products yet.
Mitigation guidance may be in the linked vendor advisories in the References section below.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Low risk: more likely to be exploited than 5% of all known CVEs.
References
Related Vulnerabilities
Other CWE-522 vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2019-17662 | Critical | 9.8 | 97% | - | - |
| CVE-2020-29583 | Critical | 9.8 | 90% | KEV | - |
| CVE-2021-30116 | Critical | 10.0 | 86% | KEV + Ransom | Fix |
| CVE-2024-44000 | Critical | 9.8 | 83% | - | Fix |
| CVE-2018-9160 | Critical | 9.8 | 77% | - | - |
| CVE-2017-9248 | Critical | 9.8 | 75% | KEV | Fix |
Embed a live status badge for CVE-2025-54808
Markdown
[](https://tridentstack.com/cve/CVE-2025-54808)HTML
<a href="https://tridentstack.com/cve/CVE-2025-54808"><img src="https://tridentstack.com/cve/badge/CVE-2025-54808.svg" alt="CVE-2025-54808"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-27.