CVE-2025-64642
📋 TL;DR
NMIS/BioDose V22.02 and earlier versions have insecure default file permissions in their installation directories. This allows client workstation users to modify program executables and libraries, potentially leading to code execution or system compromise. Organizations using these versions in multi-user environments are affected.
💻 Affected Systems
- NMIS/BioDose
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of the system by replacing legitimate executables with malicious code, leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Privilege escalation where standard users can execute arbitrary code with higher privileges, potentially compromising the entire application and associated systems.
If Mitigated
Limited impact with proper access controls, though the vulnerability still presents an unnecessary attack surface.
🎯 Exploit Status
Exploitation requires local access to client workstations; no authentication bypass needed beyond standard user privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V22.03 or later
Vendor Advisory: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01
Restart Required: Yes
Instructions:
1. Download latest version from vendor. 2. Backup current installation. 3. Run installer with administrative privileges. 4. Restart system after installation.
🔧 Temporary Workarounds
Restrict File Permissions
allManually adjust installation directory permissions to restrict write access to authorized users only.
Windows: icacls "C:\Program Files\NMIS\*" /deny Users:(OI)(CI)W
Linux: chmod -R 755 /opt/nmis && chown -R root:root /opt/nmis
🧯 If You Can't Patch
- Implement strict access controls on installation directories using group policies or configuration management.
- Deploy application whitelisting to prevent execution of unauthorized binaries.
🔍 How to Verify
Check if Vulnerable:
Check if NMIS/BioDose version is V22.02 or earlier and verify installation directory permissions allow write access to standard users.Check Version:
Windows: wmic product where name="NMIS" get version
Linux: cat /opt/nmis/version.txtVerify Fix Applied:
Confirm installation of V22.03 or later and verify that installation directories have proper restrictive permissions.📡 Detection & Monitoring
Log Indicators:
- Unexpected file modifications in NMIS installation directories
- Failed permission change attempts
- Unusual process execution from NMIS directories
Network Indicators:
- Outbound connections from NMIS processes to unexpected destinations
- Unusual network traffic patterns from affected systems
SIEM Query:
source="windows_security" EventID=4663 ObjectName="*NMIS*" OR source="sysmon" EventID=11 TargetFilename="*NMIS*"