Cyber Posture

CVE-2025-62575

High

Published: 02 December 2025

Published
02 December 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0027 50.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62575 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Mirion Biodose\/Nmis. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 49.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

Enforces least privilege by ensuring database accounts like 'nmdbuser' are not assigned excessive sysadmin roles, directly preventing remote code execution via built-in stored procedures.

AC-2 Account Management good match
prevent

Manages account provisioning, privilege assignment, and periodic reviews to avoid defaulting application SQL accounts to sysadmin roles that enable exploitation.

CM-6 Configuration Settings partial match
prevent

Establishes and enforces secure baseline configuration settings for databases, mitigating default sysadmin role assignments in NMIS/BioDose deployments.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability grants sysadmin privileges to SQL accounts, enabling remote code execution via built-in stored procedures on Microsoft SQL Server, directly mapping to Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account 'nmdbuser' and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in…

more

stored procedures.

Deeper analysisAI

CVE-2025-62575 is a vulnerability in NMIS/BioDose versions V22.02 and earlier, which rely on a Microsoft SQL Server database. By default, the SQL user account 'nmdbuser' and other created accounts are assigned the sysadmin role, enabling remote code execution through certain built-in stored procedures. The issue stems from incorrect permission assignment (CWE-732) and carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

An attacker requires low privileges, such as access to an affected SQL account, to exploit the vulnerability remotely over the network with low complexity and no user interaction. Exploitation allows high confidentiality and integrity impacts, with low availability disruption, culminating in remote code execution on the SQL Server.

Mitigation details are provided in the CISA ICS Medical Advisory ICSMA-25-336-01 at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01.

Details

CWE(s)
CWE-732

Affected Products

mirion
biodose\/nmis
≤ 23.0

CVEs Like This One

CVE-2025-61940Same product: Mirion Biodose\/Nmis
CVE-2026-26101Shared CWE-732
CVE-2025-25373Shared CWE-732
CVE-2026-4761Shared CWE-732
CVE-2024-57547Shared CWE-732
CVE-2025-22454Shared CWE-732
CVE-2026-24834Shared CWE-732
CVE-2024-46881Shared CWE-732
CVE-2025-14979Shared CWE-732
CVE-2025-0590Shared CWE-732

References