CISA Warns of Extreme Flaws in Nuclear Med Monitoring Software program

U.S. federal authorities are warning that a number of high-severity vulnerabilities found in Mirion Medical Co. stock monitoring software program utilized by nuclear drugs and radiology departments might enable attackers to change program executables, remotely execute code and achieve entry to delicate data – if exploited.

See Additionally: Gartner Report | Magic Quadrant for SD-WAN

The Cybersecurity Infrastructure and Safety Company in an advisory Tuesday stated the vulnerabilities, reported to the company by an impartial researcher, have an effect on BioDose/NMIS software program variations previous to 23.0, a product of EC2 Software program, an organization acquired in 2023 by Atlanta-based Mirion Medical.

Mirion Medical, a radiation security expertise firm, in an announcement to Info Safety Media Group, stated it has addressed the problems cited within the CISA alert.

“As quickly as Mirion turned conscious of those vulnerabilities we took speedy motion to resolve them and supply our prospects with fixes on the earliest potential alternative,” a Mirion spokeswoman stated.

“We coordinated with CISA, our prospects and different entities in accordance with coordinated vulnerability disclosure course of finest practices. All fixes are addressed inside our newest launch of the software program, Model 23.”

CISA stated the affected Mirion merchandise are used worldwide. Mirion didn’t instantly reply to ISMG’s inquiry concerning the estimated variety of prospects that use the affected BioDose/NMIS software program.

The 5 BioDose/NMIS vulnerabilities flagged by CISA embody three “incorrect permission project for essential useful resource” points, plus one vulnerability involving “use of client-side authentication” and one other involving “use of hard-coded credentials.”

Incorrect Permission Task Flaws

The inaccurate permission project for essential useful resource flaws embody CVE-2025-64642, which has a calculated CVSS v3.1 base rating of 8.0, and a CVSS v4 rating of seven.1.

CISA stated that concern pertains to listing paths in BioDose/NMIS V22.02 and former variations that by default have insecure file permissions, “which in sure deployment situations can allow customers on consumer workstations to change this system executables and libraries.”

The second incorrect permission project for essential useful resource vulnerability, CVE-2025-64298, has a calculated CVSS v3.1 base rating of 8.4 and a CVSS v4 base rating of 8.6.

CISA stated the BioDose/NMIS V22.02 and former model installations by which the embedded Microsoft SQL Server Categorical is used are uncovered within the Home windows share accessed by shoppers in networked environments. “By default, this listing has insecure listing paths that enable entry to the SQL Server database and configuration recordsdata, which may include delicate information,” CISA stated.

The third incorrect permission project for essential useful resource vulnerability is assigned as CVE-2025-62575. That flaw has been calculated as having a CVSS v3.1 base rating of 8.3 and a CVSS v4 base rating of 8.7.

The difficulty impacts BioDose/NMIS V22.02 and former variations that depend on a Microsoft SQL Server database. “The SQL consumer account ‘nmdbuser’ and different created accounts by default have the sysadmin position. This could result in distant code execution by means of using sure built-in saved procedures,” CISA stated.

Different Vulnerabilities

The usage of a client-side authentication vulnerability recognized in BioDose/NMIS model 22.02 is assigned as CVE-2025-61940 and has been calculated to have a CVSS v3.1 base rating of 8.3, and a CVSS v4 base rating of 8.7.

CISA stated the BioDose/NMIS V22.02 and former variations depend on a standard SQL Server consumer account to entry information within the database. “Consumer entry within the consumer utility is restricted by a password authentication verify within the consumer software program however the underlying database connection at all times has entry,” CISA stated. The newest model of BioDose/NMIS “introduces an choice to make use of Home windows consumer authentication with the database, which might limit this database connection,” the alert provides.

The final vulnerability, assigned CVE-2025-64778, entails use of hard-coded credentials.

CISA stated BioDose/NMIS software program V22.02 and former variations include executable binaries with plain textual content hard-coded passwords. “These hard-coded passwords might enable unauthorized entry to each the applying and database.”

This vulnerability has a calcuated CVSS v3.1 base rating of seven.3 and a CVSS v4 base rating of 8.4.