High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose
Mirion Medical has issued patches to fix five high-severity vulnerabilities in its EC2 Software NMIS BioDose software. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the application, modify program executables, access sensitive information, and potentially remotely execute code.
Mirion Medical EC2 Software NMIS BioDose is tracking software used by healthcare providers to keep track of inventory, doses, patient information, and billing. The vulnerabilities affect software versions prior to v23.0. Users have been urged to update to v23.0 or later versions to prevent the vulnerabilities from being exploited. Users with an active support contract can update to the latest version via the software. At the time of issuing the updated version, there had been no known exploitation of the vulnerabilities in the wild.
CVE-2025-64298 – CVSS v3.1: 8.4 | CVSS v4: 8.6
NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQL Server Express is used are exposed in the Windows share accessed by clients in networked installs. The directory has insecure directory paths by default, allowing access to the SQL Server database and configurations, which may contain sensitive data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CVE-2025-61940 – CVSS v3.1: 8.3 | CVSS v4: 8.7
NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database, and while users must supply a password in the client software, the underlying database connection always has access. An option has been added to use Windows user authentication with the database to restrict the database connection.
CVE-2025-62575 – CVSS v3.1: 8.3 | CVSS v4: 8.7
NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account – nmdbuser – and other created accounts have the sysadmin role, which could lead to remote code execution through the use of certain built-in stored procedures.
CVE-2025-64642 – CVSS v3.1: 8.0 | CVSS v4: 7.1
In NMIS/BioDose V22.02 and previous versions, installation directory paths have insecure file permissions by default. In certain deployments, this can allow users to modify program executables and libraries.
CVE-2025-64778 – CVSS v3.1: 7.3 | CVSS v4: 8.4
NMIS/BioDose software V22.02 and previous versions have executable binaries with plaintext hard-coded passwords, which could be exploited to gain unauthorized access to the application and database.
