PatchSiren cyber security CVE debrief
CVE-2025-64298 Mirion Medical CVE debrief
CVE-2025-64298 describes an information exposure issue in Mirion Medical EC2 Software NMIS BioDose. In affected networked installations, the embedded Microsoft SQL Server Express content is exposed through Windows share access, and the default directory paths can allow access to database and configuration files that may contain sensitive data. CISA published the advisory on 2025-12-02 and assigned the issue a high CVSS 3.1 score of 8.4.
- Vendor
- Mirion Medical
- Product
- EC2 Software NMIS BioDose
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-02
- Original CVE updated
- 2025-12-02
- Advisory published
- 2025-12-02
- Advisory updated
- 2025-12-02
Who should care
Operators and administrators running EC2 Software NMIS BioDose V22.02 or earlier, especially in networked deployments that use the embedded Microsoft SQL Server Express component, should treat this as a priority because the exposed share paths may reveal sensitive database and configuration data.
Technical summary
The advisory says that on NMIS/BioDose V22.02 and earlier, installations using the embedded Microsoft SQL Server Express are exposed via a Windows share accessed by clients in networked installs. The default directory layout permits access to SQL Server database files and configuration files. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and the advisory recommends updating to V23.0 or later.
Defensive priority
High. The issue directly affects data confidentiality in a product used in networked environments, and the vendor recommends upgrading to a fixed version.
Recommended defensive actions
- Upgrade EC2 Software NMIS BioDose to V23.0 or later.
- If you have an active support contract, apply the latest vendor update through the software or contact Mirion Medical support.
- Review deployments that use the embedded Microsoft SQL Server Express component and verify that database and configuration paths are not exposed through accessible Windows shares.
- Restrict access to affected systems and shares to only necessary users and hosts until remediation is complete.
- Check for any sensitive data stored in the exposed database or configuration files and handle it according to your internal data protection procedures.
Evidence notes
All claims are drawn from the supplied CISA CSAF advisory and its remediation entry. The advisory states that NMIS/BioDose V22.02 and earlier installations using embedded Microsoft SQL Server Express are exposed in a Windows share, with insecure default directory paths that can expose SQL Server database and configuration files containing sensitive data. The source data includes a vendor remediation to update to V23.0 or later. The supplied enrichment also shows isKev=false and no threat entries.
Official resources
-
CVE-2025-64298 CVE record
CVE.org
-
CVE-2025-64298 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and initial revision on 2025-12-02 07:00:00 UTC. The supplied advisory data does not list Known Exploited Vulnerabilities (KEV) inclusion or threat campaign details.