Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61940

CVE-2025-61940: Mirion Biodose/nmis Auth Bypass Flaw

CVE-2025-61940 is an authentication bypass vulnerability in Mirion Biodose/nmis V22.02 and earlier that exposes database access through shared SQL credentials. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-61940 Overview

CVE-2025-61940 affects Mirion NMIS/BioDose V22.02 and earlier versions. The application relies on a shared SQL Server account to access database records. The client software performs password authentication locally, but the underlying database connection retains full access regardless of the client-side check. An attacker who bypasses or reuses the client authentication can read or modify medical dose data directly through the database connection. This weakness maps to [CWE-603]: Use of Client-Side Authentication. The latest NMIS/BioDose release introduces Windows authentication as an option to scope database access per user.

Critical Impact

Authenticated network attackers can bypass client-side authentication and gain direct access to sensitive medical dosimetry data stored in the backing SQL Server database.

Affected Products

  • Mirion NMIS/BioDose V22.02
  • Mirion NMIS/BioDose versions prior to V22.02
  • Deployments using shared SQL Server account authentication

Discovery Timeline

  • 2025-12-02 - CVE-2025-61940 published to the National Vulnerability Database (NVD)
  • 2025-12-02 - CISA Medical Advisory ICSMA-25-336-01 published
  • 2026-01-02 - Last updated in NVD database

Technical Details for CVE-2025-61940

Vulnerability Analysis

NMIS/BioDose is a dosimetry and radiation monitoring information system used in healthcare and nuclear medicine environments. The client application enforces user authentication against a password store, then connects to the backend SQL Server using a single shared service account. That service account holds the privileges required by every user role.

Because the access decision lives in the client process, the database itself does not differentiate between authorized and unauthorized callers. Any process that can reach the SQL Server endpoint and obtain the shared credentials inherits full data access. This includes read and write access to dose records and patient-related fields.

The weakness corresponds to [CWE-603]: Use of Client-Side Authentication. The CVSS vector indicates a network attack vector with low attack complexity and low privileges required, scoring 8.7.

Root Cause

The root cause is the placement of the authorization boundary inside the client application instead of inside the database tier. A common SQL Server login authorizes the connection, so any caller in possession of those credentials, or able to ride an existing connection, operates with full privileges.

Attack Vector

An attacker on the network with knowledge of the shared SQL credentials can connect directly to the database using any SQL client. The attacker bypasses the NMIS/BioDose client entirely. Credentials may be recovered from configuration files, memory of a running client, or network captures depending on transport protection.

No public proof-of-concept code is available for CVE-2025-61940. Refer to CISA Medical Advisory ICSMA-25-336-01 for vendor and coordinator details.

Detection Methods for CVE-2025-61940

Indicators of Compromise

  • SQL Server logins from the shared NMIS/BioDose service account originating from hosts that do not run the NMIS/BioDose client.
  • Direct connections to the NMIS/BioDose database from interactive query tools such as sqlcmd, SSMS, or third-party ODBC clients.
  • Off-hours queries against dose record tables that do not match normal client activity patterns.

Detection Strategies

  • Enable SQL Server login auditing and capture the client_app_name, source hostname, and source IP for every session bound to the shared service account.
  • Baseline expected client hostnames and alert on deviations.
  • Correlate database session telemetry with endpoint process telemetry to confirm that each database session is paired with an authorized NMIS/BioDose client process.

Monitoring Recommendations

  • Forward SQL Server audit logs to a centralized SIEM or data lake for retention and correlation.
  • Monitor configuration files and registry keys that store the shared connection string for unauthorized reads.
  • Watch for credential dumping activity on hosts that run the NMIS/BioDose client, since the shared credentials may reside in memory or local configuration.

How to Mitigate CVE-2025-61940

Immediate Actions Required

  • Upgrade NMIS/BioDose to the latest version that supports Windows authentication against SQL Server.
  • Switch the database connection from the shared SQL login to integrated Windows authentication and grant per-user or per-group permissions.
  • Restrict network access to the SQL Server instance so that only authorized application hosts can reach the database port.
  • Rotate the shared SQL Server account password and revoke privileges that are not strictly required.

Patch Information

Mirion states that the latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which restricts the database connection at the server side. Consult CISA Medical Advisory ICSMA-25-336-01 for vendor coordination details and follow Mirion's product documentation for upgrade procedures.

Workarounds

  • Place the SQL Server instance on a segmented network reachable only from approved NMIS/BioDose client hosts.
  • Enforce TLS on SQL Server connections to prevent credential interception on the wire.
  • Apply the principle of least privilege to any service account used by the application until Windows authentication can be enabled.
  • Audit and remove stored copies of the shared connection string from shared drives, backups, and documentation.
bash
# Configuration example: enforce integrated Windows authentication in the connection string
# Replace the shared SQL login with a domain-scoped trusted connection
Server=NMIS-SQL01;Database=BioDose;Integrated Security=SSPI;Encrypt=true;TrustServerCertificate=false;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.