Oxford Nanopore Technologies MinKNOW

Plan PatchCVSS 8.6ICS-CERT ICSMA-25-294-01Oct 21, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MinKNOW versions before 24.11 contain authentication bypass and credential handling vulnerabilities (CWE-306, CWE-522, CWE-754) that allow unauthenticated network attackers to disrupt sequencing operations, exfiltrate and manipulate research data, and bypass authentication controls.

What this means

What could happen

An attacker with network access to MinKNOW could bypass authentication, run unauthorized commands on the sequencing instrument, disrupt genetic sequencing operations, steal or alter research data, and halt laboratory processing.

Who's at risk

This affects laboratory and medical research facilities using Oxford Nanopore MinKNOW for DNA/RNA sequencing. Any organization running MinKNOW versions before 24.11 on networked instruments should prioritize this update to prevent unauthorized access to sequencing data and instrument control.

How it could be exploited

An attacker on the network reaches MinKNOW over the network without needing valid credentials. By exploiting the authentication bypass vulnerabilities, the attacker gains command execution on the instrument, allowing them to manipulate sequencing parameters, stop ongoing runs, or exfiltrate research data.

Prerequisites

Network access to MinKNOW instance (port/protocol not specified in advisory)
No valid credentials required

Remotely exploitableNo authentication requiredAuthentication bypassData exfiltration riskOperational disruptionLow complexity

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

MinKNOW: <24.06<24.0624.11

MinKNOW: <24.11<24.1124.11

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDDisable Remote Connect feature in MinKNOW unless required for operations, and restrict it to trusted networks only

WORKAROUNDIf unable to upgrade immediately, contact Oxford Nanopore Support for interim security configuration guidance

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade MinKNOW to version 24.11 or later

CVEs (3)

CVE-2024-35585 CVE-2025-54808 CVE-2025-10937

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e3f41d85-ee8e-4153-a7b2-340ede356421

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.