CVE-2025-64298
📋 TL;DR
This vulnerability exposes SQL Server database and configuration files through insecure Windows share permissions in NMIS/BioDose networked installations. Attackers can access sensitive data including credentials and patient information. Organizations using NMIS/BioDose V22.02 or earlier with embedded Microsoft SQL Server Express in networked Windows environments are affected.
💻 Affected Systems
- NMIS/BioDose
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive medical data including patient records, credentials, and system configuration leading to data theft, ransomware deployment, or system takeover.
Likely Case
Unauthorized access to database files containing sensitive information, potentially leading to data exfiltration or credential harvesting.
If Mitigated
Limited exposure with proper access controls preventing unauthorized network access to the vulnerable share.
🎯 Exploit Status
Exploitation requires network access to the vulnerable Windows share, which typically requires some level of network authentication but may be accessible to any authenticated domain user.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V22.03 or later
Vendor Advisory: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01
Restart Required: Yes
Instructions:
1. Download NMIS/BioDose V22.03 or later from vendor. 2. Backup current installation and database. 3. Run installer to upgrade. 4. Restart system and verify proper functionality.
🔧 Temporary Workarounds
Restrict Windows Share Permissions
windowsModify share permissions to restrict access to authorized users only
net share SHARENAME /GRANT:DOMAIN\AuthorizedUser:FULL
icacls "C:\Program Files\NMIS\Data" /grant DOMAIN\AuthorizedUser:(OI)(CI)F /inheritance:r
Disable Network Share Access
windowsRemove network sharing from the vulnerable directory
net share SHARENAME /DELETE
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NMIS/BioDose systems from general network access
- Apply Windows file system and share permissions restricting access to only necessary service accounts
🔍 How to Verify
Check if Vulnerable:
Check if NMIS/BioDose version is V22.02 or earlier and verify if SQL Server data directory is shared with insecure permissions using 'net share' command.Check Version:
Check application version in About dialog or installation directory propertiesVerify Fix Applied:
Verify version is V22.03 or later and test that SQL Server data directory is not accessible via network share or has restricted permissions.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unauthorized access attempts to SQL Server data shares
- SQL Server logs showing unusual connection patterns
Network Indicators:
- SMB traffic to NMIS/BioDose SQL Server data directories from unauthorized sources
- Port 445 access attempts to the vulnerable system
SIEM Query:
source="Windows Security" EventID=5145 ShareName="*NMIS*" OR ShareName="*BioDose*"