CVE-2025-61940
📋 TL;DR
This vulnerability allows attackers to bypass the NMIS/BioDose application's authentication by directly accessing the SQL Server database using a shared database account. All organizations running NMIS/BioDose V22.02 or earlier versions are affected if they haven't implemented Windows authentication for database access.
💻 Affected Systems
- NMIS/BioDose
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to the medical/biological dose database, allowing them to view, modify, or delete sensitive patient dose records, treatment plans, and system configuration data.
Likely Case
Unauthorized access to sensitive medical dose data, potential data exfiltration, and manipulation of dose calculation records that could impact patient treatment accuracy.
If Mitigated
Limited to application-layer attacks only, with database access properly restricted to authorized users through Windows authentication.
🎯 Exploit Status
Exploitation requires knowledge of the shared database credentials and network access to the SQL Server. Attackers with internal network access could easily exploit this using standard SQL client tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version (post V22.02) with Windows authentication option
Vendor Advisory: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01
Restart Required: Yes
Instructions:
1. Upgrade to the latest NMIS/BioDose version. 2. Enable Windows authentication for database connections. 3. Migrate from shared SQL account to Windows authentication. 4. Restart the application and verify database connectivity.
🔧 Temporary Workarounds
Implement Network Segmentation
windowsRestrict network access to the SQL Server database to only authorized application servers and administrative workstations.
# Configure firewall rules to restrict SQL Server port 1433 access
# Windows: New-NetFirewallRule -DisplayName 'Restrict SQL Access' -Direction Inbound -Protocol TCP -LocalPort 1433 -RemoteAddress 'Authorized_IPs' -Action Allow
Change Database Credentials
allRegularly rotate the shared SQL Server account password and implement strong password policies.
# SQL Server: ALTER LOGIN [nmis_user] WITH PASSWORD = 'NewStrongPassword123!'
# Schedule regular password rotation
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the SQL Server database
- Enable comprehensive logging and monitoring of all database access attempts and review logs regularly
🔍 How to Verify
Check if Vulnerable:
Check if NMIS/BioDose is using SQL Server authentication with a shared account instead of Windows authentication. Review database connection configuration in the application settings.Check Version:
Check application version in Help > About or review installation directory for version informationVerify Fix Applied:
Verify that Windows authentication is enabled in the latest version and test that the shared SQL account can no longer access the database directly.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts using shared SQL account from unauthorized IPs
- Database queries from non-application sources
- Multiple failed login attempts to SQL Server
Network Indicators:
- SQL Server connection attempts from unexpected network segments
- Database queries outside normal application patterns
SIEM Query:
source='sql_server' AND (event_id=18456 OR event_id=18454) AND message LIKE '%nmis%' OR source_ip NOT IN (authorized_application_servers)