PatchSiren cyber security CVE debrief
CVE-2025-61940 Mirion Medical CVE debrief
CVE-2025-61940 covers an authentication and access-control weakness in Mirion Medical EC2 Software NMIS/BioDose. According to CISA’s advisory, versions V22.02 and earlier rely on a common SQL Server user account for database access. The client application enforces a password check, but the underlying database connection still has access. Mirion Medical states that the latest version adds an option to use Windows user authentication for the database, which would restrict this connection. CISA published the advisory on 2025-12-02 and assigned a high CVSS 3.1 score of 8.3.
- Vendor
- Mirion Medical
- Product
- EC2 Software NMIS BioDose
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-02
- Original CVE updated
- 2025-12-02
- Advisory published
- 2025-12-02
- Advisory updated
- 2025-12-02
Who should care
Operators and administrators running Mirion Medical EC2 Software NMIS/BioDose V22.02 or earlier, especially teams responsible for application access control, SQL Server configuration, and regulated clinical or laboratory environments.
Technical summary
The issue is not described as code execution or a software crash; it is a shared-credential design weakness. The client software’s password gate restricts application use, but the database layer still uses a common SQL Server account with access to data. That means access control is enforced in one layer while the backend connection remains broadly privileged. The vendor’s mitigation is to move to V23.0 or later, where Windows user authentication can be used with the database to better restrict access.
Defensive priority
High. The advisory’s CVSS 3.1 score is 8.3 (HIGH), with network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality/integrity impact. Availability impact is limited but present. Prioritize remediation for any deployed instances that still use the affected versions.
Recommended defensive actions
- Update NMIS/BioDose to V23.0 or later as recommended by Mirion Medical.
- For environments with an active support contract, obtain the latest version through the software update path or contact Mirion Medical support directly.
- Review SQL Server authentication for NMIS/BioDose deployments and confirm the database connection is no longer using a shared account where Windows user authentication is available.
- Validate that only authorized users can reach the database and that application-layer passwords are not the sole control protecting backend data access.
- Document affected versions and confirm whether any systems remain on V22.02 or earlier.
- Use CISA’s industrial control systems recommended practices as a baseline for defense-in-depth around access control and segmentation.
Evidence notes
Source evidence is limited to the CISA CSAF advisory and linked official references. The advisory text states: "NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database" and that the latest version introduces Windows user authentication to restrict the connection. The supplied timeline shows initial publication on 2025-12-02T07:00:00Z. No KEV listing, ransomware linkage, or exploit details are present in the provided corpus.
Official resources
-
CVE-2025-61940 CVE record
CVE.org
-
CVE-2025-61940 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSMA-25-336-01 for Mirion Medical EC2 Software NMIS/BioDose on 2025-12-02, mapping to CVE-2025-61940. The supplied enrichment shows no KEV addition and no known ransomware campaign use.