Mirion Medical confirmed on December 3, 2025 that it had patched five high-severity vulnerabilities in its EC2 Software NMIS BioDose platform, a radiological dose-tracking and billing system widely used in hospitals.
The flaws impacted all versions prior to v23.0, including NMIS/BioDose V22.02 and earlier, and involved weaknesses in the embedded Microsoft SQL Server Express configuration, insecure file permissions, shared database accounts, sysadmin-level privileges assigned to routine SQL users, and even plaintext hard-coded passwords inside executable binaries.
These issues were formally cataloged as CVE-2025-64298, CVE-2025-61940, CVE-2025-62575, CVE-2025-64642, and CVE-2025-64778, with CVSS scores between 7.1 and 8.7 depending on the versioning standard. Mirion urged all customers to update immediately to version 23.0 or later. While no malicious exploitation had yet been identified, the vulnerabilities created multiple pathways for unauthorized database access, modification of program files, leakage of sensitive patient-related data, and potential remote code execution.
These five identifiers, CVE-2025-64298, CVE-2025-61940, CVE-2025-62575, CVE-2025-64642, and CVE-2025-64778, represent a cluster of serious security flaws found in older versions of Mirion Medical’s NMIS BioDose software. Each CVE pinpoints a different weakness, but they all create openings an attacker could use to slip into the system, tamper with files, or access sensitive patient and billing data.
Some problems come from insecure default settings, like folders that anyone on the network could open or edit. Others come from deeper architectural issues, such as SQL accounts holding full sysadmin powers or even passwords hard-coded directly into the program’s binaries.
According to the CISA advisory, “NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User access in the client application is restricted by a password authentication check in the client software but the underlying database connection always has access. The latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which would restrict this database connection.”
CISA issued a warning about vulnerabilities in Hospital Manager Backend Services, where outdated versions (September 19, 2025, and earlier) exposed hospitals to attacks that could leak system architecture, session tokens, and internal file paths. In both cases, the flaws weren’t zero-day issues; they were basic security gaps created by insecure defaults, over-privileged accounts, and sensitive directories or endpoints left exposed.
Hospital Manager’s CVE-2025-54459 showed how something as simple as an unauthenticated tracing endpoint (/trace.axd) can hand attackers a full map of backend operations, while CVE-2025-61959 leaked detailed error information useful for reconnaissance.
Mirion’s vulnerabilities follow the same pattern. Insecure directory permissions, plaintext hard-coded passwords, and SQL accounts with sysadmin rights. These are the kinds of weaknesses that give attackers an easy way in.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A security patch is a software update designed to fix vulnerabilities that could let attackers break into a system, steal data, or disrupt operations.
As fast as reasonably possible. Critical or high-severity patches should be applied immediately, especially when they affect systems handling patient data, billing, imaging, or medication workflows.
Ignoring patches leaves the door open for attackers.