Cyber Resilience

CVE-2025-62575

High

Published: 02 December 2025

Published
02 December 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 50.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62575 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Mirion Biodose\/Nmis. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-62575 is a vulnerability in NMIS/BioDose versions V22.02 and earlier, which rely on a Microsoft SQL Server database. By default, the SQL user account 'nmdbuser' and other created accounts are assigned the sysadmin role, enabling remote code execution through certain built-in stored procedures. The issue stems from incorrect permission assignment (CWE-732) and carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

An attacker requires low privileges, such as access to an affected SQL account, to exploit the vulnerability remotely over the network with low complexity and no user interaction. Exploitation allows high confidentiality and integrity impacts, with low availability disruption, culminating in remote code execution on the SQL Server.

Mitigation details are provided in the CISA ICS Medical Advisory ICSMA-25-336-01 at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01.

EU & UK References

Vulnerability details

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account 'nmdbuser' and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in…

more

stored procedures.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability grants sysadmin privileges to SQL accounts, enabling remote code execution via built-in stored procedures on Microsoft SQL Server, directly mapping to Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-61940Same product: Mirion Biodose\/Nmis
CVE-2025-27688Shared CWE-732
CVE-2019-25344Shared CWE-732
CVE-2026-24291Shared CWE-732
CVE-2026-22676Shared CWE-732
CVE-2025-1067Shared CWE-732
CVE-2025-0066Shared CWE-732
CVE-2019-25343Shared CWE-732
CVE-2026-2637Shared CWE-732
CVE-2026-33430Shared CWE-732

Affected Assets

mirion
biodose\/nmis
≤ 23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege by ensuring database accounts like 'nmdbuser' are not assigned excessive sysadmin roles, directly preventing remote code execution via built-in stored procedures.

prevent

Manages account provisioning, privilege assignment, and periodic reviews to avoid defaulting application SQL accounts to sysadmin roles that enable exploitation.

prevent

Establishes and enforces secure baseline configuration settings for databases, mitigating default sysadmin role assignments in NMIS/BioDose deployments.

References