Mirion Medical’s ec2 Software NMIS/BioDose has been the subject of a coordinated security advisory that assigns multiple high‑severity vulnerabilities to EC2 Software NMIS BioDose installations, warns of remote and local attack paths that could lead to arbitrary code execution and data exposure, and urges operators to upgrade to version 23.0 or later as the immediate remediation step. The advisory describes four classes of failures — insecure installation permissions, exposed SQL Server Express shares, use of client‑side authentication with a shared DB account, and hard‑coded credentials with overly powerful SQL privileges — and assigns multiple CVE identifiers and high CVSS v3.1/v4 scores that make this a high‑priority patch for healthcare IT and clinical engineering teams running NMIS/BioDose. The vendor product is part of Mirion Medical’s ec2 Software portfolio and is widely deployed in nuclear medicine, radiopharmacies and hospital imaging workflows.
NMIS and BioDose (now part of ec2 Software under Mirion Medical) are legacy, specialist nuclear‑medicine management platforms used for inventory, dose tracking, regulatory reporting, and integration with PACS/EMR systems. They are installed in clinical and pharmacy environments where access to dose records, batch manufacturing data and patient scheduling is operationally required. Mirion’s acquisition of ec2 Software consolidated these products under the Mirion Medical brand and means the software remains in active commercial distribution across many hospitals and nuclear pharmacies. The security advisory under review reports multiple distinct weaknesses in NMIS/BioDose versions prior to 23.03.2 (and specifically flags V22.02 and earlier installations). The impact model centers on two operational realities:
Source: CISA Mirion Medical EC2 Software NMIS BioDose | CISA
Background / Overview
NMIS and BioDose (now part of ec2 Software under Mirion Medical) are legacy, specialist nuclear‑medicine management platforms used for inventory, dose tracking, regulatory reporting, and integration with PACS/EMR systems. They are installed in clinical and pharmacy environments where access to dose records, batch manufacturing data and patient scheduling is operationally required. Mirion’s acquisition of ec2 Software consolidated these products under the Mirion Medical brand and means the software remains in active commercial distribution across many hospitals and nuclear pharmacies. The security advisory under review reports multiple distinct weaknesses in NMIS/BioDose versions prior to 23.03.2 (and specifically flags V22.02 and earlier installations). The impact model centers on two operational realities:- Clinical systems often run as multi‑user Windows installs, with back‑end Microsoft SQL Server Express databases accessible from trusted networks.
- Engineering and administrative tasks (patching, backups, file sharing) sometimes create broad Windows share access patterns that, if combined with insecure file permissions or shared database users, can be leveraged by an attacker with network or local access.
What the advisory says (concise summary)
The advisory’s executive summary groups the findings into a short list of actionable items and root causes:- Incorrect Permission Assignment for Critical Resource — installation directory paths for NMIS/BioDose V22.02 and earlier are created with insecure file permissions, allowing local users on client workstations to modify executables and libraries (CVE-2025-64642 described; high severity).
- Insecure Windows Share / SQL Server Express Exposure — installations that use the embedded Microsoft SQL Server Express expose the database and configuration files on a network share accessible by clients, potentially leaking sensitive data and DB files (CVE-2025-64298).
- Use of Client‑Side Authentication / Shared SQL Account — the client app enforces login in the UI but the underlying DB connection uses a common SQL user that always has access; V23.0 introduces an option to use Windows authentication to mitigate this vector (CVE-2025-61940).
- Hard‑coded Plaintext Credentials in Binaries — shipped executables include plain text, hard‑coded passwords that can be used to access application functions and the database (CVE-2025-64778).
- Dangerous SQL Role Assignment — the default SQL user account(s), including 'nmdbuser', are created with sysadmin role by default, allowing the use of powerful stored procedures that can lead to remote code execution (CVE-2025-62575).
Technical analysis: how the issues chain together
1) Weak installation permissions (local file modification → executable tampering)
When installation directories and program binaries are created with overly permissive ACLs, any authenticated or guest user on a client workstation that can reach the share may replace or alter executable files or DLLs. In practical terms this turns a low‑privilege local compromise (or an inadvertently compromised workstation) into a code‑execution vector for the application and its service processes. The advisory ties that to CVE‑2025‑64642 and scores it high on impact. Attackers can exploit this to plant persistent malware or manipulate application logic used for dose calculation and reporting — directly affecting clinical records and potentially regulatory reporting.2) Network‑accessible SQL Server files (data exfiltration and tampering)
NMIS/BioDose installations that use the embedded Microsoft SQL Server Express and place databases or configuration files on a Windows share that clients can access open a rapidly exploitable path. If an attacker gains access to those files they can extract database contents, copy or modify MDF/LDF files, or tamper with configuration that points to alternate servers. The assigned CVE (CVE‑2025‑64298) reflects the confidentiality and integrity impact: patient and dose records, system configs and secrets can be exfiltrated or altered. This is particularly risky in healthcare where audit trails and dose accountability are regulatory requirements.3) Client‑side authentication but shared DB account (auth bypass at data layer)
A recurring anti‑pattern in legacy enterprise applications is to implement user authentication purely in the client and then connect to the database using a single shared service account. That design means that an attacker who bypasses or defeats the client checks (or who directly captures DB connection strings/credentials) can access the database with the shared account’s privileges. The advisory notes this is the case for NMIS/BioDose V22.02 and earlier and that V23.0 introduces an option for Windows Integrated Authentication — a meaningful hardening step because it ties DB access to Windows user identity and avoids storing a shared DB password on disk or in binaries. CVE‑2025‑61940 is mapped to this issue.4) Hard‑coded credentials + sysadmin DB role (immediate lateral escalation)
Hard‑coded plaintext passwords in executables are a classic, high‑impact vector: once extracted (via strings, reverse engineering, or local file reads) they permit adversaries to authenticate to application functions or the database. The advisory reports both hard‑coded passwords in binaries (CVE‑2025‑64778) and that the default SQL accounts (such as 'nmdbuser') are created with sysadmin privileges (CVE‑2025‑62575). When combined, these weaknesses allow an attacker to execute stored procedures that can load and run arbitrary code via SQL Server features — converting a local compromise into remote code execution on the host. This chain is the primary operational risk highlighted.Risk evaluation and operational impact
- Clinical data exposure: patient records, dose logs, and regulatory reports stored in SQL databases are high‑value targets; data theft or manipulation could trigger privacy breaches and regulatory action.
- Integrity of dose records: tampering with dose calculation modules or inventory records can create inaccurate dosing histories with potential clinical and regulatory consequences.
- Remote code execution: over‑privileged SQL accounts plus writable binaries enable full system compromise, persistence, and lateral movement into hospital networks and Windows‑based HMIs or PACS servers.
- Supply chain and operational disruption: compromised NMIS/BioDose systems could be used as staging points for broader ransomware or sabotage campaigns that target clinical workflow continuity.
Verification, independent cross‑checks, and cautionary notes
- Mirion publicly lists the NMIS/BioDose product and the ec2 Software suite as Mirion Medical offerings, confirming the product family and vendor relationship. This is an authoritative vendor source for product naming and product lifecycle.
- The advisory text (CSAF) supplied to customers lists the CVE identifiers and CVSS vectors described above and recommends updating to V23.0 or later. That advisory is the canonical source for the precise vulnerability assignments and the vendor’s recommended fix.
- Independent ICS/OT advisory summaries and CISA‑style mitigation guidance echo the same defensive posture: minimize Internet exposure, segment networks, place clinical control systems behind firewalls and jump hosts, and prefer integrated authentication to shared service accounts. These best practices are consistent across multiple ICS advisories and vendor recommendations.
Immediate remediation and mitigation (operational checklist)
Mirion’s primary remediation: update to V23.0 or later (customers with an active support contract should obtain the update via the software or through Mirion support). The advisory also lists a set of immediate defensive measures and CISA‑style mitigations; combine vendor patching with network and endpoint controls:- Apply the Mirion ec2/NMIS/BioDose update to V23.0+ as soon as operational testing is complete.
- If patching requires maintenance windows, immediately implement compensating controls:
- Remove Windows share exposure for the SQL Server data directory and assign restrictive NTFS ACLs so only the SQL Server service account and administrators can read/write.
- Replace shared SQL login access with Windows Integrated Authentication where possible; rotate any service passwords not managed by a vault.
- Remove sysadmin privileges from application SQL accounts; operate with least privilege (only the rights needed for normal DB operations).
- Investigate and remediate hard‑coded credentials: if binaries contain embedded secrets, treat the installation as compromised until credentials are rotated and code is reissued.
- Isolate NMIS/BioDose servers on a dedicated VLAN/subnet with ACLs that permit only explicit management hosts and clinical interfaces. Deny direct Internet access.
- For Windows client hosts: enforce least privilege for users, enable EDR/AV protections, disable write access to program directories for non‑admin accounts, and use application whitelisting where feasible.
- Audit file and share permissions across clinical file servers and confirm no world‑writable or world‑readable program directories exist.
- Monitor logs and SQL audit trails for anomalous access — large data exports, schema changes, or use of powerful stored procedures — and integrate alerts into SIEM/incident response workflows.
- If a compromise is suspected, isolate the host, collect forensic artifacts (MDF/LDF, event logs, file timestamps), and rotate any secrets or service account passwords referenced in the environment.
Detection and response: what Windows admins and clinical IS teams should do now
- Inventory: identify every NMIS/BioDose installation, Windows clients that run the desktop client, and any SQL Server Express instances associated with the product. Record versions and patch status.
- Permissions review: run an ACL audit against installation paths and SQL data directories; search for non‑admin accounts with modify/ write permissions.
- Secrets discovery: scan binaries for plaintext strings that look like passwords (safe, read‑only analysis in a sandbox), then plan credential rotation. Treat any discovered secret as compromised until rotated.
- SQL hardening: verify the role assignments for 'nmdbuser' and other created accounts; remove sysadmin role and restrict to a minimum set of database permissions. Where possible, migrate to Windows authentication and service accounts controlled by AD.
- Endpoint containment: deploy restrictive AppLocker/WDAC policies on Windows client hosts that run clinical viewers, and run the viewer under restricted non‑admin accounts or sandboxed sessions (VDI).
- Logging and threat hunting: add custom detection rules for: unexpected creation/modification of application binaries, unexpected SQL agent jobs, large MDF/LDF reads, suspicious stored procedure execution, and new Windows service installations on hosts that run NMIS/BioDose.
- Incident playbook: prepare a runbook that includes isolation procedures, evidence capture steps, and coordinated communications to compliance/privacy teams in case of data exposure.
Long‑term recommendations for vendors and healthcare operators
- Eliminate shared DB service accounts and avoid placing service credentials in distributed client binaries. Prefer Windows Integrated Authentication, service principals or managed identities tied to your identity infrastructure.
- Ship installers that enforce secure default ACLs and document the expected permissions model. Provide an installer mode for “least‑privilege” and for environments using dedicated SQL instances.
- Remove or refactor any hard‑coded credentials and adopt secret‑management integration (vaults, AD service accounts, or machine‑protected credentials).
- Include integrity checks (file hashes/signatures) and a secure update channel so customers can validate patches before deployment.
- For healthcare operators: include medical application servers in vulnerability scanning and asset‑inventory practices just as you would domain controllers or EMR servers. Clinical ICS assets require the same lifecycle management as core IT. Industry guidance on ICS/OT hardening applies equally to medical systems that sit on the enterprise network.
Strengths and notable mitigations in the vendor response
- Mirion’s advisory and recommended update show vendor engagement and a direct remediation path (V23.0+). The introduction of Windows authentication for database access in the latest release is a targeted and meaningful mitigation that removes a common root cause for data‑layer abuse. The vendor also provides standard guidance for customers on obtaining the update via support contracts.
Remaining risks and cautionary points
- Deployment variance: customers run NMIS/BioDose in widely varying topologies (local installs, shared network storage, embedded SQL Express). The practical exploitability depends heavily on those deployment details. Operators must perform a targeted impact analysis for their configuration.
- Registry publication lag: CVE and NVD entries for newly assigned identifiers sometimes lag vendor advisories. Organizations that depend on registry metadata for compliance should confirm the CVE records directly with the vendor and national vulnerability databases.
- Compensating control complexity: not all hospitals can immediately patch due to clinical uptime requirements. In those cases, strict network isolation and monitoring are mandatory until patches can be scheduled.
Practical checklist (prioritized — what to run this week)
- Record all NMIS/BioDose instances and client hosts, and confirm current product version strings.
- Schedule and test V23.0 upgrade in a non‑production environment; prepare rollback procedures.
- Immediately restrict NTFS and share ACLs for program and data directories.
- Verify SQL account privileges; remove sysadmin role from application accounts.
- Rotate any known service credentials and move to Windows Authentication where feasible.
- Apply endpoint controls: run the application with restricted accounts, enable EDR sensors, and enforce application whitelisting on clinical clients.
- Publish an incident response contact list that includes Mirion support and privacy/compliance leads.
- Monitor for anomalous DB or file activity and prepare for forensic capture if suspicious activity is detected.
Conclusion
The Mirion ec2 NMIS/BioDose advisory is a high‑impact, actionable disclosure that touches multiple failure classes common to legacy healthcare applications: insecure file permissions, exposed DB files, shared DB service accounts, hard‑coded secrets, and over‑privileged database roles. Together these create plausible paths from low‑privilege local access to full system compromise and data exfiltration — a grave concern in clinical settings where dose records, patient information, and regulatory audit trails are at stake. Mirion’s path to remediation (V23.0+) and the recommendation to move to Windows Integrated Authentication are the correct technical directions; organizations must, however, pair patching with immediate network, file‑permission and credential hygiene to close the most urgent attack paths. For Windows administrators, clinical IS teams and security ops, the priority sequence is clear: inventory, isolate, patch, and monitor — with special attention to SQL Server privileges and share permissions that often underlie exploit chains in medical device ecosystems. For operational actions and confirmation of CVE/NVD records before regulatory reporting, verify the advisory and release notes with your Mirion support contact and cross‑check published CVE entries in national vulnerability registries.Source: CISA Mirion Medical EC2 Software NMIS BioDose | CISA
