CVE-2025-10937 is a vulnerability classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) affecting Oxford Nanopore Technologies' MinKNOW software, specifically versions at or prior to 24.11. MinKNOW is a critical control software used to operate Oxford Nanopore sequencing devices. During startup, MinKNOW generates a local authentication token to authorize commands on the sequencer. This process involves creating a temporary file in a directory that is accessible to all local users. The vulnerability arises because an unauthorized local user or process can exploit this by placing a file lock on the temporary token file using the flock system call. This lock prevents MinKNOW from completing the token generation process, resulting in no valid token being created. Consequently, the software cannot execute commands on the sequencer, causing a denial-of-service condition that blocks sequencing operations. The attack requires local access with low privileges but no authentication or user interaction. The CVSS 4.0 base score is 6.8 (medium severity), reflecting the local attack vector, low complexity, no privileges required beyond local user, and high impact on availability. There are no known exploits in the wild, and no patches have been linked yet. The vulnerability highlights a design flaw in handling exceptional conditions during token file creation and access control on temporary files in shared directories.

The primary impact of CVE-2025-10937 is a denial-of-service condition that disrupts the availability of Oxford Nanopore sequencing devices controlled by MinKNOW software. For European organizations involved in genomics research, clinical diagnostics, or biotechnology relying on these sequencers, this could lead to significant operational downtime, delayed research outcomes, and potential financial losses. The inability to execute commands on the sequencer halts sequencing workflows, which may affect time-sensitive projects such as pathogen surveillance, personalized medicine, or agricultural genomics. Since the vulnerability requires local access, insider threats or compromised local accounts pose the greatest risk. The impact on confidentiality and integrity is minimal as the vulnerability does not expose or alter data directly. However, availability disruption in critical research or healthcare environments can have downstream effects on patient care or scientific progress. Organizations with shared systems or multi-user environments are particularly vulnerable due to the permissive directory permissions that allow file locking by unauthorized users.

To mitigate CVE-2025-10937, organizations should first restrict permissions on the directory where MinKNOW creates temporary token files to prevent unauthorized users from accessing or locking these files. This can be achieved by configuring strict filesystem ACLs or using dedicated user accounts with isolated home directories for running MinKNOW. Monitoring tools should be deployed to detect unusual file locking activity on token files or related directories. Additionally, enforcing the principle of least privilege for local user accounts reduces the risk of exploitation. Oxford Nanopore Technologies should be engaged to provide a patch or update that changes the token generation process to use secure, user-specific temporary directories or atomic file operations that prevent locking interference. Until a patch is available, organizations should consider isolating sequencing systems from multi-user environments and restricting local access to trusted personnel only. Regular audits of system permissions and user activity logs will help identify potential exploitation attempts early.