CVE-2025-54307
Published: 04 December 2025
Description
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints allow low-privilege users to upload ZIP files to the server. The plupload_file_upload function handles these file uploads and constructs the destination file…
more
path by using either the name parameter or the uploaded filename, neither of which is properly sanitized. The file extension is extracted by splitting the filename, and a format string is used to construct the final file path, leaving the destination path vulnerable to path traversal. An authenticated attacker with network connectivity can write arbitrary files to the server, enabling remote code execution after overwriting an executable file. An example is the pdflatex executable, which is executed through subprocess.Popen in the write_report_pdf function after requests to a /report/latex/(\d+).pdf endpoint.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses path traversal by requiring validation and sanitization of unsanitized 'name' parameter and uploaded filenames used to construct destination paths in file upload endpoints.
Enforces least privilege to restrict low-privilege users from accessing vulnerable /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints.
Monitors integrity of critical executables like pdflatex to detect unauthorized overwrites that enable remote code execution via subprocess.Popen.
Security SummaryAI
CVE-2025-54307, published on 2025-12-04, is a path traversal vulnerability (CWE-22) affecting the Thermo Fisher Torrent Suite Django application version 5.18.1, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability resides in the /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints, which allow low-privilege users to upload ZIP files to the server. The plupload_file_upload function constructs the destination file path using either the unsanitized "name" parameter or the uploaded filename; the file extension is extracted by splitting the filename, and a format string is used to build the final path, enabling directory traversal.
An authenticated attacker with low privileges and network connectivity to the server can exploit this issue to write arbitrary files outside the intended directory. By overwriting an executable file such as pdflatex, which is invoked via subprocess.Popen in the write_report_pdf function during requests to /report/latex/(\d+).pdf endpoints, the attacker can achieve remote code execution on the server.
The provided references link to Thermo Fisher documentation, including the Torrent Suite 5.18 user guide (MAN0026163), a product guide for Ion OneTouch 2 and Torrent Suite Software, and the Ion Torrent Suite Software product page, but they do not detail specific advisories, patches, or mitigation steps for this vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability enables low-privileged authenticated attackers to perform arbitrary file writes, including overwriting executables like pdflatex invoked via subprocess, directly facilitating remote code execution consistent with Exploitation for Privilege Escalation (T1068).