Skip to main content

CISA: Mirion Medical NMIS BioDose vulnerabilities affect versions prior to 23.0

December 2, 2025

Mirion Medical EC2 Software NMIS BioDose products prior to version 23.0 contain multiple vulnerabilities — including incorrect permission assignment, use of client-side authentication, and hard-coded credentials — that can enable modification of executables, unauthorized application and database access, and arbitrary code execution.

Affected product: EC2 Software NMIS BioDose: Versions prior to 23.0; NMIS/BioDose V22.02 and previous. Vulnerable components and conditions include insecure installation directory file permissions permitting modification of program executables and libraries; Windows share paths in networked installs when the embedded Microsoft SQLServer Express is used that expose the Structured Query Language (SQL) Server database and configuration files; reliance on a common SQL Server user with client-side password checks while the latest version introduces an option to use Windows user authentication; executable binaries containing plain-text hard-coded passwords; and the SQL user account 'nmdbuser' and other created accounts defaulting to the sysadmin role, which can enable remote code execution via certain built-in stored procedures. CVE-2025-64642: Common Vulnerability Scoring System (CVSS) v3.1 base score 8.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H); CVSS v4 base score 7.1 (AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N). CVE-2025-64298: CVSS v3.1 base score 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H); CVSS v4 base score 8.6 (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). CVE-2025-61940: CVSS v3.1 base score 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L); CVSS v4 base score 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N). CVE-2025-64778: CVSS v3.1 base score 7.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L); CVSS v4 base score 8.4 (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N). CVE-2025-62575: CVSS v3.1 base score 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L); CVSS v4 base score 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

If exploited successfully, an attacker could modify program executables, gain access to sensitive information, gain unauthorized access to the application, and execute arbitrary code.

Mirion Medical recommends users update to V23.0 or later. Users with an active support contract should update to the latest version through the software or contact Mirion Medical support directly.

CISA recommends minimizing network exposure for control system devices and ensuring they are not accessible from the Internet; locating control system networks and remote devices behind firewalls and isolating them from business networks; and, when remote access is required, using more secure methods such as Virtual Private Networks while keeping such technologies updated. CISA also advises performing proper impact analysis and risk assessment before deploying defensive measures, following internal procedures and reporting suspected malicious activity to CISA, and using available control systems security recommended practices and guidance on social engineering and phishing avoidance.