The vulnerability CVE-2025-54304 affects Thermo Fisher Ion Torrent OneTouch 2 INS1005527 sequencing devices. Upon powering on, these devices automatically start an X11 display server that listens on port 6000 across all network interfaces. The X11 server's access control list (ACL) is configured by default to allow connections only from 127.0.0.1 (localhost) and the static IP 192.168.2.15. However, when the device is connected to a network using DHCP, it may receive an IP address different from 192.168.2.15, causing the ACL to no longer restrict access properly. Consequently, the X11 server becomes accessible to any device on the local network. An attacker on the same network can connect to this exposed X11 server and interact with the matchbox-desktop environment to spawn a terminal session. This interaction enables the attacker to escalate privileges to root and execute arbitrary code remotely without requiring authentication or user interaction. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS v3.1 score of 9.8, reflecting critical impact on confidentiality, integrity, and availability. Notably, the affected devices are no longer supported by the vendor, and no patches or mitigations have been released. Although no known exploits are currently in the wild, the ease of exploitation and severity make this a significant threat to environments where these devices are deployed.

For European organizations, the impact of this vulnerability is substantial, especially in research institutions, clinical laboratories, and biotech companies using Thermo Fisher Ion Torrent OneTouch 2 devices. Exploitation could lead to full system compromise, allowing attackers to execute arbitrary code with root privileges. This could result in unauthorized access to sensitive genomic data, manipulation or destruction of sequencing results, disruption of laboratory workflows, and potential exposure of patient or research data. The ability to remotely compromise these devices without authentication or user interaction increases the risk of lateral movement within internal networks. Given that these devices are often connected to internal networks with sensitive data, the vulnerability could serve as a foothold for broader attacks against organizational infrastructure. The lack of vendor support and patches exacerbates the risk, forcing organizations to rely on network segmentation and other compensating controls to mitigate exposure.

Since no patches are available due to the product being unsupported, European organizations should implement strict network segmentation to isolate affected devices from general network access. Restrict access to the subnet where these devices reside, limiting it only to trusted management stations and authorized personnel. Employ firewall rules to block inbound connections to port 6000 on these devices from unauthorized hosts. Disable or restrict DHCP usage to ensure the device retains the expected IP address (192.168.2.15), maintaining the intended X11 ACL restrictions. If feasible, disable the X11 display server startup on these devices or replace it with a more secure remote access method. Monitor network traffic for unusual connections to port 6000 and audit device logs for suspicious activity. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting X11 services. Finally, evaluate the feasibility of replacing unsupported devices with newer, supported models that do not exhibit this vulnerability.