CVE-2025-54303
Thermo Fisher · Torrent Suite Django application
The Thermo Fisher Torrent Suite Django application 5.18.1 contains weak default administrative credentials that are not enforced to be changed, allowing unauthorized access to the Django ORM API.
Executive summary
A critical vulnerability in the Thermo Fisher Torrent Suite Django application allows unauthenticated attackers to gain administrative access via hardcoded default credentials.
Vulnerability
This vulnerability involves the use of weak, hardcoded default credentials for the "ionadmin" account within the Django ORM API. Because the software fails to enforce a password change policy, attackers can easily authenticate with administrative privileges.
Business impact
The exploitation of this vulnerability grants an attacker full administrative control over the application. Given the CVSS score of 9.8, this poses a severe risk of total system compromise, unauthorized data access, and potential manipulation of sensitive sequencing data. The lack of enforced credential rotation significantly increases the likelihood of successful lateral movement within the network.
Remediation
Immediate Action: Change the default "ionadmin" password immediately to a complex, unique string and implement an organizational policy for credential rotation.
Proactive Monitoring: Review access logs for successful logins originating from unauthorized or unexpected IP addresses, particularly those targeting the Django ORM API.
Compensating Controls: Restrict network access to the Torrent Suite application using access control lists (ACLs) or a firewall to ensure it is not exposed to untrusted networks.
Exploitation status
Public Exploit Available: N/A
Analyst recommendation
This vulnerability represents a significant security oversight that provides trivial access to administrative functions. Administrators must prioritize updating credentials immediately and ensuring the application is isolated from public-facing network segments to mitigate the risk of unauthorized access.