CVE-2025-54306 is a remote code execution vulnerability discovered in Thermo Fisher's Torrent Suite Django application version 5.18.1. The flaw exists in the network configuration functionality accessible via the /admin/network endpoint, which allows administrators to modify server network settings. The vulnerability stems from insufficient input validation of network configuration parameters submitted through administrative forms. These parameters are passed as arguments to subprocess.Popen calls without proper sanitization. The application uses two Bash scripts, TSsetnoproxy and TSsetproxy, to apply network configurations by writing user-controlled data directly into environment variables. After updating these variables, the scripts execute a source command on /etc/environment. Because the environment variables are not sanitized, an attacker with administrative privileges can inject malicious commands that get executed in the shell context, leading to arbitrary code execution on the server. This vulnerability affects confidentiality, integrity, and availability, as attackers can execute arbitrary commands, potentially leading to data theft, system compromise, or denial of service. The CVSS 3.1 base score is 7.2, reflecting network attack vector, low attack complexity, required privileges (high), no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are known yet, but the vulnerability is critical for environments relying on this software for genomic data analysis and research workflows.

For European organizations, especially those in biotechnology, pharmaceutical research, and healthcare sectors using Thermo Fisher's Torrent Suite, this vulnerability poses a significant risk. Exploitation could lead to unauthorized code execution on critical servers managing sensitive genomic and research data, resulting in data breaches, manipulation of research results, or disruption of critical services. The compromise of network configuration could also allow attackers to pivot within internal networks, escalating attacks. Given the high confidentiality and integrity requirements of research data, the impact could extend to regulatory non-compliance under GDPR and other data protection laws. Additionally, disruption of research workflows could delay critical scientific progress. The requirement for administrative privileges limits the attack surface but insider threats or compromised administrator credentials could facilitate exploitation. The lack of known exploits currently provides a window for proactive mitigation.

1. Immediately restrict administrative access to the /admin/network endpoint to trusted personnel only, using strong multi-factor authentication and network segmentation. 2. Apply strict input validation and sanitization on all network configuration parameters before they are passed to subprocess calls or environment variables. 3. Modify the TSsetnoproxy and TSsetproxy scripts to avoid writing user-controlled data directly into environment variables or executing source commands on /etc/environment without validation. 4. Monitor logs for unusual administrative activity or unexpected environment variable changes. 5. Implement application-level logging and alerting for changes to network configurations. 6. Conduct a thorough review of all subprocess calls in the application to ensure no other injection vectors exist. 7. If possible, deploy application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block suspicious command executions. 8. Coordinate with Thermo Fisher for patches or updates addressing this vulnerability and apply them promptly once available. 9. Educate administrators on the risks of this vulnerability and enforce the principle of least privilege. 10. Regularly audit and rotate administrative credentials to reduce risk of credential compromise.