Mirion Medical Reports the High Severity Vulnerabilities Identified in EC2 Software NMIS BioDose

by

Mirion Medical identified five high-severity vulnerabilities in its EC2 Software NMIS BioDose software and issued patches to correct the problem. An attacker can successfully exploit the vulnerabilities to get unauthorized access to the software, alter program executables, obtain sensitive data, and possibly execute code remotely.

HIPAA-compliant Healthcare providers use the Mirion Medical EC2 Software NMIS BioDose software to help manage inventory, patient data, doses, and billing. The vulnerabilities impact software versions earlier than v23.0. Users are advised to upgrade to v23.0 or later versions to stop exploitation of the vulnerabilities. Customers with an active support agreement can upgrade to the more recent version through the software. When releasing the new version, there were no identified vulnerabilities exploited in the wild.

hipaanswers.com/hipaa-compliance/↗

Accredited HIPAA Certification
  1. CVE-2025-64298 – CVSS v3.1: 8.4 | CVSS v4: 8.6 – tracking vulnerability

NMIS/BioDose V22.02 and earlier version installs where the inlayed Microsoft SQL Server Express is employed are open in the Windows share used by customers in networked installations. The directory has directory paths that are not secure by default, permitting SQL Server database access and configurations, which may have sensitive information.

  1. CVE-2025-61940 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and earlier versions depend on a common SQL Server user account to view information in the database; although customers need to provide a password in the customer software program, the actual database link constantly has access. An alternative is included to utilize Windows user authentication along with the database to limit connections to the database.

  1. CVE-2025-62575 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and earlier versions count on a Microsoft SQL Server database. The nmdbuser SQL user account and other accounts created possess the sysadmin role that could allow remote code execution by using particular pre-installed stored processes.

  1. CVE-2025-64642 – CVSS v3.1: 8.0 | CVSS v4: 7.1

In NMIS/BioDose V22.02 and earlier versions, there are insecure file permissions in the installation directory paths by default. In a few deployments, this could enable users to change program libraries and executables.

  1. CVE-2025-64778 – CVSS v3.1: 7.3 | CVSS v4: 8.4

NMIS/BioDose software program V22.02 and earlier versions possess executable binaries with plaintext hard-coded passwords. Attackers can use this to get unauthorized access to the program and data source.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]