CVE-2025-62575 – This vulnerability in NMIS/BioDose V22.02 and e... (How to Fix)

📋 TL;DR

This vulnerability in NMIS/BioDose V22.02 and earlier allows attackers with database access to execute arbitrary code through SQL Server stored procedures due to excessive default privileges. Systems using these medical software versions with Microsoft SQL Server are affected.

💻 Affected Systems

Products:

NMIS/BioDose

Versions: V22.02 and all previous versions

Operating Systems: Windows (SQL Server dependent)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Microsoft SQL Server database backend; default 'nmdbuser' and other created accounts have sysadmin role

📦 What is this software?

Biodose\/nmis by Mirion

View all CVEs affecting Biodose\/nmis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to patient data theft, medical device manipulation, and ransomware deployment across the healthcare network.

🟠

Likely Case

Database takeover enabling data exfiltration, privilege escalation, and lateral movement within the medical IT environment.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are enforced, though database integrity remains at risk.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires database credentials but leverages well-known SQL Server stored procedures like xp_cmdshell

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in advisory

Vendor Advisory: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01

Restart Required: No

Instructions:

1. Review CISA advisory ICSMA-25-336-01
2. Contact vendor for updated version
3. Apply principle of least privilege to database accounts
4. Remove sysadmin role from application accounts

🔧 Temporary Workarounds

Remove sysadmin role from application accounts

windows

Revoke sysadmin privileges from 'nmdbuser' and other application database accounts, granting only necessary permissions

USE master;
ALTER SERVER ROLE sysadmin DROP MEMBER nmdbuser;

Disable dangerous stored procedures

windows

Disable or restrict access to built-in stored procedures like xp_cmdshell that enable command execution

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 0;
RECONFIGURE;

🧯 If You Can't Patch

Implement strict network segmentation to isolate database servers from internet and untrusted networks
Deploy database activity monitoring to detect suspicious stored procedure usage and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check SQL Server for accounts with sysadmin role: SELECT name FROM sys.server_principals WHERE IS_SRVROLEMEMBER('sysadmin', name) = 1

Check Version:

Check NMIS/BioDose version in application interface or consult vendor documentation

Verify Fix Applied:

Verify 'nmdbuser' and application accounts no longer have sysadmin role using same query, and confirm xp_cmdshell is disabled

📡 Detection & Monitoring

Log Indicators:

SQL Server logs showing xp_cmdshell or other dangerous stored procedure execution
Failed login attempts to database accounts
Unusual account privilege changes

Network Indicators:

Unexpected outbound connections from database servers
SMB or RDP connections originating from SQL Server

SIEM Query:

source="sql_server" AND (event_id=15457 OR event_id=33205 OR "xp_cmdshell" IN message)

📊 Metadata

CVE ID: CVE-2025-62575

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-732

EPSS Score: 0.28% exploit probability (51.2th percentile)

Published: December 2, 2025

Last Updated: January 2, 2026

🔗 References

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62575, you might also want to check these: