CVE-2025-62575 Mirion Medical CVE debrief

Who should care

Organizations running Mirion Medical EC2 Software NMIS/BioDose, especially database administrators, OT/ICS operators, system administrators, and security teams responsible for SQL Server hardening and patching.

Technical summary

The advisory states that NMIS/BioDose V22.02 and previous versions rely on Microsoft SQL Server and that the 'nmdbuser' account, along with other created accounts, is granted sysadmin by default. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) indicates a network-exploitable issue requiring low privileges. With sysadmin-level SQL access, built-in stored procedures can be abused to reach remote code execution.

Defensive priority

High. The issue is rated CVSS 8.3 (HIGH) and impacts default database privileges in a product line used in medical/industrial contexts. Prioritize upgrading exposed or actively used installations, then verify SQL account privilege assignments.

Recommended defensive actions

• Update Mirion Medical EC2 Software NMIS/BioDose to V23.0 or later.
• If you have an active support contract, apply the latest vendor-provided update through the software or contact Mirion Medical support.
• Review SQL Server accounts used by the application and remove unnecessary sysadmin privileges.
• Audit for other default or created database accounts with elevated roles and restrict them to least privilege.
• Validate that only required administrative access is allowed to the SQL Server hosting the application.
• Use CISA ICS recommended practices and defense-in-depth guidance to harden and monitor the environment.

Evidence notes

This debrief uses only the supplied CISA CSAF advisory content, the embedded CVSS vector, the CVE record reference, and the vendor remediation statement. No exploit steps, reproduction details, or unsupported environmental assumptions are included.

Official resources