CVE-2025-61940
Published: 02 December 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-61940 is a vulnerability in NMIS/BioDose versions V22.02 and previous, stemming from the use of a common SQL Server user account with unrestricted database access. While the client application enforces user access restrictions via password authentication, the underlying database connection always uses this privileged account, bypassing client-side controls. Classified as CWE-603, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).
A low-privileged user (PR:L) with network access (AV:N) can exploit this issue with low attack complexity and no user interaction. The attacker leverages the privileged database connection to achieve high confidentiality impact through unauthorized data access, high integrity impact via data modification, and low availability impact.
The CISA ICS medical advisory (ICSMA-25-336-01) references mitigation via the latest NMIS/BioDose version, which introduces an option for Windows user authentication to restrict database connections based on user privileges.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables exploitation of remote service (T1210) via privileged DB connection bypass, facilitating unauthorized database access (T1213.006) and stored data manipulation (T1565.001).