CVE-2025-64298 Overview
CVE-2025-64298 is an Insecure Permissions vulnerability affecting NMIS/BioDose V22.02 and previous versions where the embedded Microsoft SQLServer Express is deployed. The vulnerability exists in networked installations where the Windows share accessed by clients exposes the SQL Server database and configuration files through insecure directory paths. This misconfiguration allows unauthorized users to access sensitive data stored within the database and its associated configuration files.
Critical Impact
Attackers with local network access can exploit insecure directory permissions to access sensitive SQL Server database files and configuration data, potentially leading to data theft, unauthorized modification, or further system compromise in medical device environments.
Affected Products
- Mirion BioDose/NMIS V22.02 and earlier versions
- Microsoft Windows (as the underlying operating system)
- Embedded Microsoft SQLServer Express installations
Discovery Timeline
- 2025-12-02 - CVE-2025-64298 published to NVD
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-64298
Vulnerability Analysis
This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The flaw stems from improper access control configurations on Windows file shares used in networked NMIS/BioDose installations. When the embedded Microsoft SQLServer Express database is deployed, the installation creates shared directories that clients access over the network. However, these directories are configured with overly permissive access rights by default, exposing database files (.mdf, .ldf) and SQL Server configuration files to any user with network access to the share.
Medical dosimetry systems like NMIS/BioDose handle sensitive radiation dose records and patient data, making this exposure particularly concerning in healthcare environments. The vulnerability requires local network access to exploit, which limits remote exploitation but still presents significant risk within hospital or clinic networks.
Root Cause
The root cause of CVE-2025-64298 lies in the default directory permission configuration applied during NMIS/BioDose installation. The shared folder structure used for networked client access does not properly restrict permissions on directories containing SQL Server Express database files and configuration data. This allows any user who can access the Windows share to read—and potentially write to—these critical resources.
Attack Vector
The attack vector is local network-based, requiring the attacker to have access to the same network segment where the NMIS/BioDose server's Windows share is accessible. An attacker can enumerate accessible shares, identify the NMIS/BioDose installation directory, and directly access SQL Server database files or configuration files containing sensitive information such as connection strings, credentials, or patient dosimetry data.
The exploitation process involves:
- Discovering the Windows share hosting NMIS/BioDose data
- Navigating to directories containing SQL Server Express files
- Copying or modifying database files (.mdf, .ldf) and configuration files
- Extracting sensitive data or injecting malicious content
For detailed technical information, see the CISA ICS Medical Advisory.
Detection Methods for CVE-2025-64298
Indicators of Compromise
- Unusual access patterns to the NMIS/BioDose shared directory from unexpected workstations or user accounts
- Read or copy operations on SQL Server database files (.mdf, .ldf) outside normal application behavior
- Unauthorized modifications to SQL Server configuration files
- Network traffic anomalies showing file share access to sensitive directories from non-authorized endpoints
Detection Strategies
- Implement Windows file auditing on the NMIS/BioDose shared directories to log all access attempts to database and configuration files
- Configure SIEM rules to alert on suspicious file share access patterns, particularly bulk file reads or access from non-standard client systems
- Deploy endpoint detection solutions to monitor for tools commonly used to copy or extract SQL Server database files
- Review Windows Security Event logs for Event ID 4663 (file access attempts) targeting sensitive directories
Monitoring Recommendations
- Enable detailed file access auditing on all directories containing SQL Server Express files within the NMIS/BioDose installation
- Establish baseline access patterns for legitimate client connections and alert on deviations
- Monitor for new user accounts or permission changes on the affected file shares
- Implement network segmentation monitoring to detect lateral movement attempts targeting the NMIS/BioDose server
How to Mitigate CVE-2025-64298
Immediate Actions Required
- Review and restrict directory permissions on the NMIS/BioDose shared folder structure to allow only required user accounts and service accounts
- Remove unnecessary read/write access for generic user groups such as Everyone or Users from directories containing SQL Server files
- Segment the network to limit access to the NMIS/BioDose server share to only authorized client workstations
- Implement principle of least privilege for all accounts accessing the NMIS/BioDose system
Patch Information
Refer to the CISA ICS Medical Advisory (ICSMA-25-336-01) for official guidance and any vendor-provided patches or updates from Mirion. Contact Mirion support directly for information on updated software versions that address this vulnerability.
Workarounds
- Apply restrictive NTFS permissions on directories containing SQL Server Express database files and configuration data, limiting access to the SQL Server service account and authorized administrators only
- Configure Windows Firewall rules to restrict SMB traffic to the NMIS/BioDose server from unauthorized network segments
- Consider using Windows share-level permissions in combination with NTFS permissions for defense-in-depth
- Regularly audit directory permissions to ensure secure configurations are maintained after updates or changes
# Example: Restrict directory permissions using icacls (run as Administrator)
# Remove inherited permissions and grant access only to specific accounts
icacls "C:\NMIS\Database" /inheritance:r
icacls "C:\NMIS\Database" /grant "NT SERVICE\MSSQL$SQLEXPRESS:(OI)(CI)F"
icacls "C:\NMIS\Database" /grant "BUILTIN\Administrators:(OI)(CI)F"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
