Oxford Nanopore Technologies MinKNOW

Plan Patch8.6ICS-CERT ICSMA-25-294-01Oct 21, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Oxford Nanopore Technologies MinKNOW DNA sequencing software contains three vulnerabilities (CWE-306 missing authentication, CWE-522 insufficient credential storage, CWE-754 improper error handling) that allow remote attackers to bypass authentication controls, exfiltrate genetic data, manipulate sequencing results, and disrupt operational processes. Affected versions are MinKNOW prior to 24.11. Successful exploitation requires only network access with no user credentials or interaction.

What this means

What could happen

An attacker with network access could disrupt DNA sequencing operations, steal or alter genetic data, and bypass authentication to gain unauthorized control of the sequencing system.

Who's at risk

Genomics and research laboratories using Oxford Nanopore MinKNOW DNA sequencing software are affected. This includes university sequencing centers, clinical diagnostic labs, and biotech companies running any MinKNOW version prior to 24.11.

How it could be exploited

An attacker on the network sends crafted requests to the MinKNOW application (port/endpoint details not specified in advisory). The vulnerabilities allow authentication bypass and privilege escalation, letting the attacker run commands or access data without valid credentials.

Prerequisites

Network access to MinKNOW application
MinKNOW version prior to 24.11 deployed
Remote Connect feature enabled (for remote exploitation)

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for versions <24.11Affects data integrity and operational continuityAuthentication bypass vulnerability

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

MinKNOW: <24.06<24.0624.11

MinKNOW: <24.11<24.1124.11

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable Remote Connect feature in MinKNOW unless required for operations; if needed, enable only within trusted networks with firewall restrictions

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade MinKNOW to version 24.11 or later

WORKAROUNDContact Oxford Nanopore Support for configuration guidance if immediate upgrade is not possible

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate MinKNOW systems from untrusted network segments

CVEs (3)

CVE-2024-35585 CVE-2025-54808 CVE-2025-10937

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e3f41d85-ee8e-4153-a7b2-340ede356421