CVE-2025-54808
📋 TL;DR
MinKNOW software stores authentication tokens in world-readable temporary directories, allowing local users or malware to steal tokens. If remote access is enabled, stolen tokens can create persistent developer tokens for unauthorized sequencer access. This affects Oxford Nanopore MinKNOW users with versions up to 24.11.
💻 Affected Systems
- Oxford Nanopore MinKNOW
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malware steals token, enables remote access, creates persistent developer token, and establishes unauthorized remote control of sequencing equipment, potentially compromising sensitive genomic data.
Likely Case
Local user or malware accesses token file, uses it to create developer token if remote access is enabled, gaining unauthorized access to sequencer management functions.
If Mitigated
With proper access controls and monitoring, token theft is prevented or detected before remote exploitation occurs.
🎯 Exploit Status
Requires local access to read token file; remote exploitation requires remote access to be enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 24.11
Vendor Advisory: https://nanoporetech.com/software/
Restart Required: Yes
Instructions:
1. Check current MinKNOW version. 2. Update to latest version via Oxford Nanopore software portal. 3. Restart MinKNOW service. 4. Verify token storage location is secure.
🔧 Temporary Workarounds
Secure temporary directory permissions
linuxChange permissions on /tmp directory or specific token files to prevent world-readable access.
chmod 700 /tmp/minknow_token_file
chown root:root /tmp/minknow_token_file
Disable remote access
linuxTurn off remote access functionality if not required for operations.
minknow --disable-remote-access
🧯 If You Can't Patch
- Implement strict access controls on host systems to prevent unauthorized local access.
- Monitor for unusual token generation or remote access configuration changes.
🔍 How to Verify
Check if Vulnerable:
Check if MinKNOW version is 24.11 or earlier and if authentication tokens exist in world-readable /tmp locations.Check Version:
minknow --versionVerify Fix Applied:
Verify MinKNOW version is after 24.11 and token files are no longer stored in world-readable directories.📡 Detection & Monitoring
Log Indicators:
- Unexpected token generation events
- Remote access configuration changes
- Unauthorized access attempts to sequencer
Network Indicators:
- Unexpected remote connections to sequencer management ports
- Traffic from unauthorized IP addresses to MinKNOW services
SIEM Query:
source="minknow.log" AND (event="token_generated" OR event="remote_access_enabled")