Mirion Medical 2025: Critical Vulnerabilities in NMIS BioDose Software Threaten Healthcare Security
Executive Summary
In December 2025, Mirion Medical disclosed multiple high-severity vulnerabilities affecting its EC2 Software NMIS BioDose product, versions prior to 23.0. These flaws—incorrect permission assignments, use of hard-coded credentials, and client-side authentication weaknesses—could be exploited by attackers to gain unauthorized access, elevate privileges, manipulate executables, steal sensitive medical data, or execute arbitrary code. Impacting the healthcare and public health sectors globally, these vulnerabilities pose critical operational and patient-data risks, especially in environments with networked installations and exposed Microsoft SQL Server databases. No active exploitation has yet been reported, but CISA urges urgent mitigation measures due to the vulnerabilities’ remote exploitability and low attack complexity.
This incident highlights intensifying regulatory scrutiny on medical device security as threat actors increasingly target healthcare systems for sensitive patient data and intellectual property. The vulnerabilities in Mirion’s product underscore persistent gaps in authentication and privilege controls—a growing concern amid adoption of connected medical technologies and regulatory frameworks such as HIPAA and NIST.
Why This Matters Now
Healthcare organizations and critical infrastructure providers face increasing risk from rapidly evolving threat landscapes that exploit weak authentication, poor privilege management, and insecure default configurations. Immediate attention is needed as unpatched deployments of NMIS BioDose could expose patient safety and clinical workflows to compromise, regulatory penalties, and service disruptions.
Attack Path Analysis
The attack began when an adversary exploited insecure file permissions and hard-coded credentials in the Mirion Medical EC2 Software NMIS BioDose, enabling initial unauthorized access to the environment. By leveraging default sysadmin roles and client-side authentication weaknesses, the attacker escalated privileges to gain administrative rights. Subsequently, the attacker moved laterally within the network, potentially accessing other connected workstations, servers, or the embedded database via exposed shares. A command and control phase followed, with the attacker establishing outbound connections or setting up persistence through database-level attacks. Sensitive data was then exfiltrated via network shares or outbound database queries. Finally, the attacker could modify executables, disrupt the application, or execute arbitrary code, leading to data integrity loss or operational disruption.
Kill Chain Progression
Initial Compromise
Description
Adversary exploited incorrect permission assignments and hard-coded credentials to gain unauthorized access to the NMIS BioDose application environment.
Related CVEs
CVE-2025-64642
CVSS 8Insecure file permissions in NMIS/BioDose V22.02 and earlier allow users to modify program executables and libraries.
Affected Products:
Mirion Medical EC2 Software NMIS BioDose – < 23.0
Exploit Status:
no public exploitCVE-2025-64298
CVSS 8.4Insecure directory paths in NMIS/BioDose V22.02 and earlier expose SQL Server database and configuration files to unauthorized access.
Affected Products:
Mirion Medical EC2 Software NMIS BioDose – < 23.0
Exploit Status:
no public exploitCVE-2025-61940
CVSS 8.3Client-side authentication in NMIS/BioDose V22.02 and earlier allows unauthorized database access due to shared SQL Server user account.
Affected Products:
Mirion Medical EC2 Software NMIS BioDose – < 23.0
Exploit Status:
no public exploitCVE-2025-64778
CVSS 7.3Hard-coded passwords in NMIS/BioDose V22.02 and earlier allow unauthorized access to the application and database.
Affected Products:
Mirion Medical EC2 Software NMIS BioDose – < 23.0
Exploit Status:
no public exploitCVE-2025-62575
CVSS 8.3Default sysadmin role for SQL user accounts in NMIS/BioDose V22.02 and earlier can lead to remote code execution.
Affected Products:
Mirion Medical EC2 Software NMIS BioDose – < 23.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Unsecured Credentials
Abuse Elevation Control Mechanism
Process Injection
Indicator Removal on Host
Windows Management Instrumentation
Access Unsecured Credentials
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit access to system components and cardholder data
Control ID: 7.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Security Policies and Procedures
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Strong Authentication and Least Privilege
Control ID: Identity Pillar: Authentication
NIS2 Directive – Access Control and Asset Management
Control ID: Article 21(2)(d)
HIPAA Security Rule – Access Control
Control ID: 45 CFR §164.312(a)(1)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Critical vulnerabilities in Mirion Medical's BioDose radiation monitoring software expose patient data, enable arbitrary code execution, compromising medical device integrity.
Medical Equipment
Hard-coded credentials and insecure permissions in medical radiation monitoring systems allow unauthorized access to sensitive medical equipment and databases.
Pharmaceuticals
BioDose software vulnerabilities threaten radiation safety protocols in pharmaceutical research and manufacturing, enabling potential data exfiltration and system compromise.
Research Industry
Research facilities using radiation monitoring equipment face exposure to remote code execution attacks through client-side authentication bypasses and permission misconfigurations.
Sources
- Mirion Medical EC2 Software NMIS BioDosehttps://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01Verified
- NVD Entry for CVE-2025-64642https://nvd.nist.gov/vuln/detail/CVE-2025-64642Verified
- NVD Entry for CVE-2025-64298https://nvd.nist.gov/vuln/detail/CVE-2025-64298Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation and network-based controls would have contained the spread by enforcing least privilege, limited exposure between workloads, and prevented unauthorized outbound data transfers; egress policy enforcement and inline threat detection could have identified or blocked attempts at exploitation, lateral movement, and data exfiltration.
Control: Zero Trust Segmentation
Mitigation: Access to sensitive application resources would be isolated and restricted.
Control: Multicloud Visibility & Control
Mitigation: Unusual authentication and privilege escalations are detected and alerted.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts between workloads or regions are prevented.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous C2 traffic patterns are detected in real time and contained.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data flows to unauthorized destinations are blocked or quarantined.
Real-time inspection intercepts malicious file modifications or risky behaviors.
Impact at a Glance
Affected Business Functions
- Patient Data Management
- Treatment Planning
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive patient health information due to unauthorized database access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust microsegmentation to restrict and isolate access to critical workloads, especially legacy or vulnerable assets.
- • Enforce strict egress filtering and outbound policy enforcement to detect and block unauthorized data exfiltration attempts.
- • Continuously monitor east-west network traffic and privileged account behaviors for early anomaly detection within hybrid and cloud environments.
- • Upgrade insecure legacy authentication schemes to support identity-aware access controls and eliminate embedded credentials wherever possible.
- • Leverage inline threat detection and response capabilities to identify, alert, and contain malicious behaviors in real time before impact.
