CVE-2025-61940 HIGH

CVE-2025-61940: Mirion Medical EC2 Software NMIS BioDose Use of Client-Side Authentication

Vendor Mirion Medical
Product EC2 Software NMIS BioDose
Weakness CWE-603
Published December 2, 2025
Last update December 9, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User access in the client application is restricted by a password authentication check in the client software but the underlying database connection always has access. The latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which would restrict this database connection.

Key dates

02Disclosure timeline

December 2, 2025 CVE published
December 9, 2025 Record updated