CVE-2025-61940 Overview
CVE-2025-61940 affects Mirion NMIS/BioDose V22.02 and earlier versions. The application relies on a shared SQL Server account to access database records. The client software performs password authentication locally, but the underlying database connection retains full access regardless of the client-side check. An attacker who bypasses or reuses the client authentication can read or modify medical dose data directly through the database connection. This weakness maps to [CWE-603]: Use of Client-Side Authentication. The latest NMIS/BioDose release introduces Windows authentication as an option to scope database access per user.
Critical Impact
Authenticated network attackers can bypass client-side authentication and gain direct access to sensitive medical dosimetry data stored in the backing SQL Server database.
Affected Products
- Mirion NMIS/BioDose V22.02
- Mirion NMIS/BioDose versions prior to V22.02
- Deployments using shared SQL Server account authentication
Discovery Timeline
- 2025-12-02 - CVE-2025-61940 published to the National Vulnerability Database (NVD)
- 2025-12-02 - CISA Medical Advisory ICSMA-25-336-01 published
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-61940
Vulnerability Analysis
NMIS/BioDose is a dosimetry and radiation monitoring information system used in healthcare and nuclear medicine environments. The client application enforces user authentication against a password store, then connects to the backend SQL Server using a single shared service account. That service account holds the privileges required by every user role.
Because the access decision lives in the client process, the database itself does not differentiate between authorized and unauthorized callers. Any process that can reach the SQL Server endpoint and obtain the shared credentials inherits full data access. This includes read and write access to dose records and patient-related fields.
The weakness corresponds to [CWE-603]: Use of Client-Side Authentication. The CVSS vector indicates a network attack vector with low attack complexity and low privileges required, scoring 8.7.
Root Cause
The root cause is the placement of the authorization boundary inside the client application instead of inside the database tier. A common SQL Server login authorizes the connection, so any caller in possession of those credentials, or able to ride an existing connection, operates with full privileges.
Attack Vector
An attacker on the network with knowledge of the shared SQL credentials can connect directly to the database using any SQL client. The attacker bypasses the NMIS/BioDose client entirely. Credentials may be recovered from configuration files, memory of a running client, or network captures depending on transport protection.
No public proof-of-concept code is available for CVE-2025-61940. Refer to CISA Medical Advisory ICSMA-25-336-01 for vendor and coordinator details.
Detection Methods for CVE-2025-61940
Indicators of Compromise
- SQL Server logins from the shared NMIS/BioDose service account originating from hosts that do not run the NMIS/BioDose client.
- Direct connections to the NMIS/BioDose database from interactive query tools such as sqlcmd, SSMS, or third-party ODBC clients.
- Off-hours queries against dose record tables that do not match normal client activity patterns.
Detection Strategies
- Enable SQL Server login auditing and capture the client_app_name, source hostname, and source IP for every session bound to the shared service account.
- Baseline expected client hostnames and alert on deviations.
- Correlate database session telemetry with endpoint process telemetry to confirm that each database session is paired with an authorized NMIS/BioDose client process.
Monitoring Recommendations
- Forward SQL Server audit logs to a centralized SIEM or data lake for retention and correlation.
- Monitor configuration files and registry keys that store the shared connection string for unauthorized reads.
- Watch for credential dumping activity on hosts that run the NMIS/BioDose client, since the shared credentials may reside in memory or local configuration.
How to Mitigate CVE-2025-61940
Immediate Actions Required
- Upgrade NMIS/BioDose to the latest version that supports Windows authentication against SQL Server.
- Switch the database connection from the shared SQL login to integrated Windows authentication and grant per-user or per-group permissions.
- Restrict network access to the SQL Server instance so that only authorized application hosts can reach the database port.
- Rotate the shared SQL Server account password and revoke privileges that are not strictly required.
Patch Information
Mirion states that the latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which restricts the database connection at the server side. Consult CISA Medical Advisory ICSMA-25-336-01 for vendor coordination details and follow Mirion's product documentation for upgrade procedures.
Workarounds
- Place the SQL Server instance on a segmented network reachable only from approved NMIS/BioDose client hosts.
- Enforce TLS on SQL Server connections to prevent credential interception on the wire.
- Apply the principle of least privilege to any service account used by the application until Windows authentication can be enabled.
- Audit and remove stored copies of the shared connection string from shared drives, backups, and documentation.
# Configuration example: enforce integrated Windows authentication in the connection string
# Replace the shared SQL login with a domain-scoped trusted connection
Server=NMIS-SQL01;Database=BioDose;Integrated Security=SSPI;Encrypt=true;TrustServerCertificate=false;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

