CVE-2025-62575 | THREATINT

Description

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account 'nmdbuser' and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in stored procedures.

PUBLISHED Reserved 2025-11-11 | Published 2025-12-02 | Updated 2025-12-02 | Assigner icscert

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

HIGH: 8.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-732 Incorrect Permission Assignment for Critical Resource

Product status

Default status

unaffected

Any version before 23.0

affected

23.0

unaffected

Credits

Joe Dillon reported these vulnerabilities to Mirion Medical. finder

References

www.cisa.gov/...vents/ics-medical-advisories/icsma-25-336-01

cve.org (CVE-2025-62575)

nvd.nist.gov (CVE-2025-62575)