The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges.
Default credentials for the ionadmin account are stored as fixtures for Django ORM API and provided with the software. The user documentation recommends changing these credentials after installation, however the software does not enforce this change through any password management policy. As a result, many production deployments may still use the default login/password pair, allowing an attacker with network access to authenticate immediately without needing to crack passwords.
Attacker gains full administrative access to the application, allowing reading, modification or deletion of data, as well as potential takeover of the DNA sequencing data analysis system.
Default password for the ionadmin account must be changed immediately in all Torrent Suite Software deployments. Patches available from the manufacturer should be applied according to references. Additionally, it is recommended to restrict network access to the management interface exclusively to trusted IP addresses and implement a policy enforcing default password changes at first login.
Thermo Fisher Torrent Suite Software version 5.18.1 (Django application) — deployments that have not changed the default credentials for the ionadmin account
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThermofisher Torrent Suite Software
APPThermofisher5.18.1
Related vulnerabilities
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares i...
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution ...
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/p...
Słabe domyślne hasło root w urządzeniu Thermo Fisher Ion Torrent OneTouch 2
Niezabezpieczony serwer X11 w Thermo Fisher Ion Torrent OneTouch 2 umożliwia RCE z uprawnieniami root