PatchSiren cyber security CVE debrief
CVE-2025-10937 Oxford Nanopore Technologies CVE debrief
CVE-2025-10937 is a local denial-of-service issue in Oxford Nanopore Technologies MinKNOW. On affected versions at or prior to 24.11, startup creates a temporary file for the local authentication token in a directory accessible to all users. A local user or process can place a flock lock on that temporary file, preventing token generation and stopping MinKNOW from executing commands on the sequencer. The result is a sequencing interruption rather than code execution or data theft.
- Vendor
- Oxford Nanopore Technologies
- Product
- MinKNOW
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-10-21
- Original CVE updated
- 2025-10-21
- Advisory published
- 2025-10-21
- Advisory updated
- 2025-10-21
Who should care
Sequencing labs, MinKNOW operators, and system administrators running MinKNOW on shared or multi-user systems should care most, especially where untrusted local users or processes can access the host.
Technical summary
According to the CISA CSAF advisory, MinKNOW at or before version 24.11 writes a temporary file for the local authentication token during startup before copying it to its final location. Because that temporary file is created in a directory accessible to all users, a local attacker or process can use flock to hold the file lock and block token generation. Without a valid local token, MinKNOW cannot execute commands on the sequencer, producing a denial-of-service condition that disrupts sequencing operations. The supplied CVSS vector is local, low-complexity, and availability-only: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
Medium. The issue is local-only and availability-focused, but it can halt sequencing operations on affected hosts.
Recommended defensive actions
- Upgrade MinKNOW to a version later than 24.11 as recommended by Oxford Nanopore Technologies.
- If you cannot upgrade immediately, follow Oxford Nanopore's guidance for older versions and contact support for configuration-specific advice.
- Keep Remote Connect disabled unless it is strictly required, and enable it only in trusted network environments.
- Maintain endpoint protection, including antivirus and malware scanning tools, to help mitigate local denial-of-service conditions.
- Apply CISA ICS recommended practices and general host hardening on systems that run MinKNOW, especially where multiple local users or processes are present.
Evidence notes
Primary evidence comes from the CISA CSAF advisory published on 2025-10-21 for Oxford Nanopore Technologies MinKNOW. The advisory states that affected versions at or prior to 24.11 create a temporary token file in a directory accessible to all users and that a local flock lock can prevent token generation, causing a denial-of-service that blocks sequencing operations. The supplied CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. No CISA KEV entry was provided.
Official resources
-
CVE-2025-10937 CVE record
CVE.org
-
CVE-2025-10937 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in the initial advisory publication on 2025-10-21 06:00:00 UTC; modified the same day. This debrief reflects the advisory timing and supplied source corpus. The advisory was not identified as a CISA KEV item inthe