Mirion Medical issues patches for five high-severity vulnerabilities

Mirion Medical issued patches for five vulnerabilities found in its EC2 Software NMIS BioDose software, which is used by healthcare providers for patient scheduling, dose delivery, inventory and waste management.

The Cybersecurity and Infrastructure Security Agency (CISA) published an advisory regarding the vulnerabilities and urged users to update the software to the latest version.

"Successful exploitation of these vulnerabilities could allow an attacker to modify program executables, gain access to sensitive information, gain unauthorized access to the application, and execute arbitrary code," CISA stated.

The vulnerabilities impact NMIS/BioDose versions prior to 23.0. The first vulnerability, tagged as CVE-2025-64642, enables users on client workstations to modify program executables and libraries in certain deployment scenarios, due to insecure default file permissions.

A vulnerability labeled as CVE-2025-64298 also involves insecure default settings. In this case, NMIS/BioDose V22.02 and earlier versions, where the embedded Microsoft SQL Server Express is used, are exposed in the Windows share accessed by clients in networked installs. The directory has insecure paths by default, allowing access to the SQL Server database and configuration files, which contain sensitive data.

CVE-2025-62575 was flagged because some default SQL user accounts have the "sysadmin" role, which could lead to remote code execution. All NMIS/BioDose versions prior to 23.0 rely on a Microsoft SQL Server database.

Another vulnerability, tracked as CVE-2025-64778, involves the use of hard-coded credentials, meaning that plain-text passwords are embedded into the software's source code. If an attacker gained access to these passwords, they could potentially compromise the application and database.

Lastly, a high-severity vulnerability labeled CVE-2025-61940 involves the use of client-side authentication. All previous versions of NMIS/BioDose rely on a common SQL Server user account to access data.

"User access in the client application is restricted by a password authentication check in the client software but the underlying database connection always has access," CISA explained.

"The latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which would restrict this database connection."

Mirion Medical recommended that all users update to V23.0 or later by updating through the software or contacting Mirion Medical support directly. CISA recommended that users take defensive measures to reduce the risk of exploitation. Recommended actions include minimizing network exposure for all control system devices, isolating control system networks behind firewalls and using virtual private networks.

As always, healthcare organizations should perform risk assessments and impact analyses prior to employing any defensive measures.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.