Endpoint Security,
Governance & Risk Management,
Internet of Things Security
Mirion Medical Resolves Bugs in Latest BioDose/NMIS Software Update
U.S. federal agencies have issued warnings regarding significant vulnerabilities found in BioDose/NMIS, an inventory tracking software utilized by nuclear medicine and radiology departments. Discovered vulnerabilities threaten to allow attackers to alter program executables, execute code remotely, and access confidential information if exploited.
According to an advisory released by the Cybersecurity Infrastructure and Security Agency (CISA), these vulnerabilities, reported by an independent researcher, affect versions of the BioDose/NMIS software prior to 23.0. This software is produced by EC2 Software, a company acquired by Atlanta-based Mirion Medical in 2023.
In a statement to Information Security Media Group, Mirion Medical confirmed it has resolved the vulnerabilities highlighted by CISA. “Upon learning about these issues, we took immediate steps to address them and provided our customers with fixes as soon as possible,” stated a Mirion representative.
Mirion stated it collaborated with CISA, clients, and other organizations, following best practices for coordinated vulnerability disclosures. All identified security issues have been remedied in the recently released Version 23 of the software. CISA emphasized that the affected Mirion products are distributed globally, though the company did not disclose the number of customers reliant on the compromised BioDose/NMIS software.
The vulnerabilities identified by CISA include three cases of “incorrect permission assignment for critical resources,” one vulnerability related to “client-side authentication,” and another involving “hard-coded credentials.”
The issues related to incorrect permission assignments include CVE-2025-64642, which has a calculated CVSS v3.1 base score of 8.0, highlighting insecure file permissions in BioDose/NMIS versions 22.02 and earlier. These permissions can enable unauthorized users to modify program executables and libraries under certain conditions.
Additionally, CVE-2025-64298 poses similar risks, with a calculated CVSS v3.1 base score of 8.4, affecting installations where Microsoft SQL Server Express is used. The default settings expose sensitive configuration files to unauthorized network access. Another related issue, CVE-2025-62575, with a CVSS v3.1 base score of 8.3, allows remote code execution due to poorly configured SQL user accounts with administrative privileges.
The remaining vulnerabilities include CVE-2025-61940, a client-side authentication flaw, which has a CVSS v3.1 base score of 8.3. This issue arises from a reliance on a common SQL Server user account to access database information, potentially allowing unauthorized database connections. Partnerships with Windows user authentication in the latest update are expected to mitigate this risk.
Finally, CVE-2025-64778 reveals that earlier versions of the software contain executable files with hard-coded passwords, allowing unauthorized access to the application and database. This vulnerability holds a CVSS v3.1 base score of 7.3.
In sum, the recent advisories from CISA indicate that organizations using Mirion Medical’s BioDose/NMIS software could be vulnerable to exploitation. The reported vulnerabilities align with several MITRE ATT&CK tactics, notably initial access through insecure configurations and privilege escalation via poorly assigned user permissions. Business leaders are urged to review their software versions and implement necessary updates to ensure robust cybersecurity measures are in place.
