CVE-2025-64298 | THREATINT

Description

NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQLServer Express is used are exposed in the Windows share accessed by clients in networked installs. By default, this directory has insecure directory paths that allow access to the SQL Server database and configuration files, which can contain sensitive data.

PUBLISHED Reserved 2025-11-11 | Published 2025-12-02 | Updated 2025-12-02 | Assigner icscert

HIGH: 8.6CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-732 Incorrect Permission Assignment for Critical Resource

Product status

Default status

unaffected

Any version before 23.0

affected

23.0

unaffected

Credits

Joe Dillon reported these vulnerabilities to Mirion Medical. finder

References

www.cisa.gov/...vents/ics-medical-advisories/icsma-25-336-01

cve.org (CVE-2025-64298)

nvd.nist.gov (CVE-2025-64298)