1. EXECUTIVE SUMMARY
- CVSS v4 8.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Oxford Nanopore Technologies
- Equipment: MinKNOW
- Vulnerabilities: Missing Authentication for Critical Function, Insufficiently Protected Credentials, Improper Check for Unusual or Exceptional Conditions
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disrupt sequencing operations and processes, exfiltrate and manipulate data, and bypass authentication controls.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of MinKNOW, a DNA and RNA sequencing device, are affected:
- MinKNOW: Versions prior to 24.06 (CVE-2024-35585)
- MinKNOW: Versions prior to 24.11 (CVE-2025-54808, CVE-2025-10937)
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
A vulnerability exists in which remote access is enabled by default, and authentication relies on the IP address of the host computer. Unauthorized users on the same network can discover the IP address (e.g., via port scanning) and gain access to the sequencer by registering a legitimate or temporary Oxford Nanopore account. Once connected through the MinKNOW application, attackers can observe sequencing activity, pause or stop data collection, and redirect output data to an alternate location.
CVE-2024-35585 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2024-35585. A ba
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: