CVE-2025-53963 – This vulnerability allows attackers with networ... (How to Fix)

Q: What is the severity of CVE-2025-53963?

CVE-2025-53963 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers with network access to achieve root-level code execution on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices by exploiting weak default SSH credentials. Affected systems are those running the vulnerable SSH server with the default 'ionadmin' password for the root account. This primarily impacts organizations using these specific laboratory devices that are no longer supported by the vendor.

📋 TL;DR

This vulnerability allows attackers with network access to achieve root-level code execution on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices by exploiting weak default SSH credentials. Affected systems are those running the vulnerable SSH server with the default 'ionadmin' password for the root account. This primarily impacts organizations using these specific laboratory devices that are no longer supported by the vendor.

💻 Affected Systems

Products:

Thermo Fisher Ion Torrent OneTouch 2 INS1005527

Versions: All versions with default configuration

Operating Systems: Embedded Linux/device-specific OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects products no longer supported by maintainer. Vulnerability exists in default SSH configuration with weak root password.

📦 What is this software?

Ion Torrent Onetouch 2 Firmware by Thermofisher

View all CVEs affecting Ion Torrent Onetouch 2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code as root, potentially leading to data theft, device manipulation, or lateral movement to other network systems.

🟠

Likely Case

Unauthorized root access to the device enabling data exfiltration, configuration changes, or installation of persistent backdoors.

🟢

If Mitigated

Limited to failed authentication attempts if strong passwords and network controls are implemented.

🌐 Internet-Facing: HIGH - SSH server on default port 22 with weak credentials presents significant risk if exposed to internet.

🏢 Internal Only: HIGH - Even internally, weak root credentials allow easy privilege escalation for any network-connected attacker.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires SSH client and knowledge of default credentials. Simple password authentication attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available as product is no longer supported. Must implement workarounds.

🔧 Temporary Workarounds

Change Root Password

linux

Change the default 'ionadmin' password to a strong, unique password for the root account.

passwd root

Disable SSH Root Login

linux

Modify SSH configuration to prevent root login via password authentication.

echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
systemctl restart sshd

Change SSH Port

linux

Move SSH service to non-standard port to reduce automated scanning.

sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
systemctl restart sshd

🧯 If You Can't Patch

Implement network segmentation to isolate device from untrusted networks
Deploy firewall rules to restrict SSH access to authorized IP addresses only

🔍 How to Verify

Check if Vulnerable:

Attempt SSH connection to port 22 with username 'root' and password 'ionadmin'

Check Version:

Check device documentation or system information for specific model/version

Verify Fix Applied:

Verify SSH root login fails with old password and new strong password works, or root login is disabled

📡 Detection & Monitoring

Log Indicators:

Failed SSH authentication attempts for root account
Successful SSH logins from unexpected IP addresses
Multiple authentication failures followed by success

Network Indicators:

SSH brute force attempts on port 22
Unexpected SSH connections to the device

SIEM Query:

source="ssh" (user="root" AND (action="failed" OR action="accepted")) | stats count by src_ip, user, action

📊 Metadata

CVE ID: CVE-2025-53963

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-521

EPSS Score: 0.09% exploit probability (26.2th percentile)

Published: December 4, 2025

Last Updated: December 16, 2025

🔗 References

https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf Product
https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf Vendor Advisory
https://tools.thermofisher.cn/content/sfs/brochures/One_Touch_2_Spec_Sheet.pdf Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53963, you might also want to check these: