CVE-2025-64778 Mirion Medical CVE debrief

Who should care

Administrators and operators running Mirion Medical EC2 Software NMIS/BioDose, especially installations on V22.02 or any earlier version, should prioritize this issue.

Technical summary

The CISA CSAF advisory for CVE-2025-64778 states that NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain-text hard-coded passwords. The stated impact is potential unauthorized access to the application and database. The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) indicates the issue is locally reachable and can affect confidentiality and integrity significantly.

Defensive priority

High for any affected installation. Upgrade planning should be immediate because the vendor states that V23.0 or later resolves the issue.

Recommended defensive actions

• Update NMIS/BioDose to V23.0 or later as recommended by Mirion Medical.
• If you have an active support contract, use the vendor’s update path or contact Mirion Medical support directly.
• Identify all installations running V22.02 or earlier and confirm exposure scope.
• Review application and database access logs for unexpected authentication activity on affected systems.
• After upgrading, verify credential handling and rotate any credentials that may have been exposed or reused in affected deployments.

Evidence notes

CISA’s official CSAF advisory (ICSMA-25-336-01) published on 2025-12-02 states that NMIS/BioDose V22.02 and previous versions contain executable binaries with plain-text hard-coded passwords. The advisory says these passwords could allow unauthorized access to both the application and database. The supplied remediation is to update to V23.0 or later. No KEV listing is present in the supplied corpus.

Official resources