CVE-2025-62575

High

Published: 02 December 2025

Published

02 December 2025

Modified

02 January 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0023 45.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account 'nmdbuser' and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in…

stored procedures.

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces least privilege by ensuring database accounts like 'nmdbuser' are not assigned excessive sysadmin roles, directly preventing remote code execution via built-in stored procedures.

AC-2 Account Management good match

prevent

Manages account provisioning, privilege assignment, and periodic reviews to avoid defaulting application SQL accounts to sysadmin roles that enable exploitation.

CM-6 Configuration Settings partial match

prevent

Establishes and enforces secure baseline configuration settings for databases, mitigating default sysadmin role assignments in NMIS/BioDose deployments.

Security SummaryAI

CVE-2025-62575 is a vulnerability in NMIS/BioDose versions V22.02 and earlier, which rely on a Microsoft SQL Server database. By default, the SQL user account 'nmdbuser' and other created accounts are assigned the sysadmin role, enabling remote code execution through certain built-in stored procedures. The issue stems from incorrect permission assignment (CWE-732) and carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

An attacker requires low privileges, such as access to an affected SQL account, to exploit the vulnerability remotely over the network with low complexity and no user interaction. Exploitation allows high confidentiality and integrity impacts, with low availability disruption, culminating in remote code execution on the SQL Server.

Mitigation details are provided in the CISA ICS Medical Advisory ICSMA-25-336-01 at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01.

Details

CWE(s): CWE-732

Affected Products

mirion

biodose\/nmis

≤ 23.0

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability grants sysadmin privileges to SQL accounts, enabling remote code execution via built-in stored procedures on Microsoft SQL Server, directly mapping to Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01
Third Party Advisory · ics-cert@hq.dhs.gov