CVE-2025-61940
Published: 02 December 2025
Summary
CVE-2025-61940 is a high-severity Use of Client-Side Authentication (CWE-603) vulnerability in Mirion Biodose\/Nmis. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates least privilege for database connections, directly countering the use of a shared privileged SQL Server account that bypasses client-side restrictions.
Requires enforcement of approved authorizations for all logical access, ensuring database operations respect per-user privileges rather than defaulting to unrestricted access.
Establishes account management practices that prevent creation and use of shared privileged accounts for database connections across all users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of remote service (T1210) via privileged DB connection bypass, facilitating unauthorized database access (T1213.006) and stored data manipulation (T1565.001).
NVD Description
NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User access in the client application is restricted by a password authentication check in the client software but the underlying database…
more
connection always has access. The latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which would restrict this database connection.
Deeper analysisAI
CVE-2025-61940 is a vulnerability in NMIS/BioDose versions V22.02 and previous, stemming from the use of a common SQL Server user account with unrestricted database access. While the client application enforces user access restrictions via password authentication, the underlying database connection always uses this privileged account, bypassing client-side controls. Classified as CWE-603, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).
A low-privileged user (PR:L) with network access (AV:N) can exploit this issue with low attack complexity and no user interaction. The attacker leverages the privileged database connection to achieve high confidentiality impact through unauthorized data access, high integrity impact via data modification, and low availability impact.
The CISA ICS medical advisory (ICSMA-25-336-01) references mitigation via the latest NMIS/BioDose version, which introduces an option for Windows user authentication to restrict database connections based on user privileges.
Details
- CWE(s)