Thermo Fisher patch‑critical privilege bug

Thermo Fisher Scientific’s Torrent Suite Dx software through version 5.14.2 has been identified in public vulnerability records as affected by CVE-2026-41085, a privilege-escalation flaw published on May 18, 2026. Public CVE records say the issue could allow an authenticated user with limited access privileges to gain administrator-level privileges through specific system interfaces. GitHub’s advisory database classifies the issue as high severity and shows a CVSS 3.1 base score of 8.8. Thermo Fisher’s public security bulletins page lists a Torrent Suite Dx software notice, but the company’s main site was not fully accessible for independent review because of access restrictions. ### What is actually confirmed in the public record? CVE-2026-41085 appears in public CVE aggregators as a published record dated May 18, 2026. The description says Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 contains a privilege-escalation vulnerability that may let an authenticated user with limited privileges gain unauthorized administrator-level privileges. The same wording appears in GitHub’s advisory database entry for the CVE. (cve.report) GitHub’s advisory entry marks the record “unreviewed,” lists no patched version, and cites the National Vulnerability Database and a Thermo Fisher document as references. The advisory also maps the issue to CWE-269, improper privilege management. ### Does a vendor bulletin exist for this product line? Thermo Fisher’s public security bulletins page lists “Torrent Suite Dx Software, versions 5.14 and earlier” with an original post date of February 7, 2024, and a last update date of June 28, 2024. (cve.report) A separate indexed Thermo Fisher document labeled as a medical device advisory notice says vulnerabilities were identified in Torrent Suite Dx software versions 5.14 and earlier and says the company had not received reports that the vulnerabilities had been exploited at the time of that notice. (github.com) The available public snippets do not, by themselves, confirm whether the 2024 vendor notice and CVE-2026-41085 refer to the same underlying flaw or whether a newer vendor advisory has been issued. Thermo Fisher’s documents domain shows a security bulletin file tied to Torrent Suite Dx software version 5.14.2, but the full bulletin text was not retrievable in this session. (corporate.thermofisher.com) ### How serious is the flaw as described? GitHub’s advisory database gives the issue a CVSS 3.1 score of 8.8 and labels it high severity. The listed vector says the flaw is network-accessible, requires low privileges, needs no user interaction, and could affect confidentiality, integrity and availability at a high level if exploited. The public description matters because it centers on authenticated users rather than unauthenticated outsiders. (documents.thermofisher.com) In practice, that means the reported path begins after a user already has some level of access, according to the CVE text. ### What should customers ask Thermo Fisher now? Customers using Torrent Suite Dx should ask Thermo Fisher whether their installed version is affected, whether a fixed version exists, and whether compensating controls are available if immediate patching is not possible. (github.com) The public CVE and GitHub records do not list a patched version. CISA’s general guidance on device updates and patching says vulnerabilities that allow privilege escalation can require immediate action when agencies assess them as posing unacceptable risk. (cve.report) CISA has also repeatedly urged critical-infrastructure organizations to apply patches for internet-facing systems and plan for supported technology lifecycles. ### What is the next concrete step to watch? May 18, 2026 is the public disclosure date shown in the CVE record, and the clearest next milestone is a vendor statement naming affected builds, fixed versions or mitigation steps. (github.com) Thermo Fisher’s public security bulletins page and any update to the referenced Torrent Suite Dx advisory document are the primary places customers can monitor for that information. (cve.report) (cisa.gov)