CVE-2025-64642 Overview
CVE-2025-64642 affects Mirion NMIS/BioDose V22.02 and earlier versions. The installation directory is created with insecure default file permissions [CWE-732]. In multi-user deployment scenarios, unprivileged users on client workstations can modify program executables and libraries within the installation path. Attackers can replace legitimate binaries with trojanized versions to achieve code execution under the context of any user who subsequently runs the application. The flaw impacts the integrity and availability of the BioDose medical dosimetry workflow used in nuclear medicine environments.
Critical Impact
Local users can tamper with NMIS/BioDose executables and libraries, enabling persistent code execution and compromise of medical dosimetry data integrity.
Affected Products
- Mirion NMIS/BioDose V22.02
- Mirion NMIS/BioDose versions prior to V22.02
- Client workstations running shared NMIS/BioDose installations
Discovery Timeline
- 2025-12-02 - CVE-2025-64642 published to NVD
- 2025-12-02 - CISA Medical Advisory ICSMA-25-336-01 released
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64642
Vulnerability Analysis
The vulnerability stems from incorrect permission assignment on the NMIS/BioDose installation directory. By default, the installer applies access control entries that grant write or modify permissions to non-administrative users on the local workstation. This permits any local account to overwrite executables, dynamic-link libraries, and supporting configuration files within the program directory.
In clinical deployments where multiple operators share workstations, the weakness allows one user to substitute a trusted binary with attacker-controlled code. When a privileged user later launches the application, the substituted code executes within that user's session. The vulnerability is classified under [CWE-732] Incorrect Permission Assignment for Critical Resource. Exploitation requires only local access and no user interaction beyond normal program use.
Root Cause
The NMIS/BioDose installer does not enforce restrictive access control lists on the installation directory. Standard practice requires that program files reside in locations writable only by administrators, such as C:\Program Files, with non-administrative principals granted read and execute rights only. The deployed permissions deviate from this baseline.
Attack Vector
An attacker with a local user account on a workstation hosting NMIS/BioDose locates the installation directory and replaces a target executable or DLL. The malicious binary persists on disk until another user, often a clinician with elevated privileges, runs the application. Execution then occurs in the context of the launching user, granting the attacker access to medical data, network resources, and authentication tokens available to that session.
No verified exploit code is publicly available. Refer to the CISA Medical Advisory ICSMA-25-336-01 for vendor-coordinated technical details.
Detection Methods for CVE-2025-64642
Indicators of Compromise
- Unexpected modifications to executables, DLLs, or configuration files within the NMIS/BioDose installation directory
- File creation or replacement events authored by non-administrative user accounts in the program directory
- New or unsigned binaries appearing alongside legitimate Mirion-signed executables
- Process executions originating from the BioDose install path with anomalous parent processes or command lines
Detection Strategies
- Enable Windows file system auditing on the NMIS/BioDose installation directory to log write and modify events
- Compare digital signatures and file hashes of installed binaries against a known-good baseline from Mirion
- Hunt for process launches from the program directory where the image hash differs from the vendor-provided reference
- Correlate logon events with subsequent file writes in the install path to identify which local account introduced changes
Monitoring Recommendations
- Deploy endpoint identification tooling capable of flagging modifications to executable files in application directories
- Forward Windows Security Event IDs 4663 and 4670 from BioDose hosts to a centralized SIEM for retention and review
- Alert on any non-administrative principal writing to the BioDose program folder
- Periodically validate installation directory ACLs against the hardened configuration
How to Mitigate CVE-2025-64642
Immediate Actions Required
- Inventory all workstations running Mirion NMIS/BioDose V22.02 or earlier and identify shared-use systems
- Apply restrictive NTFS permissions on the installation directory to remove write access for non-administrative users
- Contact Mirion support for vendor guidance and any available updated installer or hardening package
- Restrict interactive logon on BioDose workstations to authorized clinical staff only
Patch Information
Mirion has not published a fixed version reference in the NVD entry at the time of writing. Customers should consult Mirion product support and review the CISA Medical Advisory ICSMA-25-336-01 for current remediation guidance and any released updates.
Workarounds
- Manually reset ACLs on the installation directory so only Administrators and SYSTEM have write or modify rights, while standard users retain only read and execute
- Relocate the installation to a protected path such as C:\Program Files if the application supports it
- Apply application allowlisting to prevent execution of unsigned or modified binaries from the BioDose directory
- Segment BioDose workstations on a restricted network zone and limit local account provisioning
# Configuration example: harden NMIS/BioDose install directory ACLs on Windows
icacls "C:\Path\To\BioDose" /inheritance:r
icacls "C:\Path\To\BioDose" /grant:r "Administrators:(OI)(CI)F"
icacls "C:\Path\To\BioDose" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\Path\To\BioDose" /grant:r "Users:(OI)(CI)RX"
icacls "C:\Path\To\BioDose" /remove "Authenticated Users"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

