CVE-2025-61940 is a vulnerability classified under CWE-603 (Use of Client-Side Authentication) found in Mirion Medical's EC2 Software NMIS BioDose, specifically versions 22.02 and earlier. The core issue arises from the software's reliance on a single, shared SQL Server user account for database access. While the client application enforces user access restrictions through password authentication, this control is only implemented at the client layer. The database connection itself uses a common account with broad privileges, bypassing granular access control. This architectural flaw means that if an attacker gains access to the client or intercepts the database connection, they could potentially access or manipulate sensitive data without proper authorization. The vulnerability does not require user interaction and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N). The impact on confidentiality and integrity is high, as unauthorized database access could lead to data leakage or tampering. The latest NMIS/BioDose version introduces an option to use Windows user authentication for the database connection, which enforces access control at the database level, mitigating this vulnerability. No public exploits have been reported yet, but the high CVSS score and ease of exploitation make this a critical issue for affected environments.

For European organizations, particularly those in healthcare, nuclear medicine, or radiation safety sectors that use Mirion Medical's EC2 Software NMIS BioDose, this vulnerability poses a significant risk. Unauthorized access to the database could lead to exposure or alteration of sensitive patient data, radiation dose records, or operational parameters, potentially violating GDPR and other data protection regulations. Integrity compromise could affect patient safety and regulatory compliance. The network-exploitable nature of the vulnerability increases the attack surface, especially in environments where the software is accessible over internal or external networks. The lack of user interaction requirement and low attack complexity mean that attackers could automate exploitation, increasing the likelihood of successful attacks. This could result in operational disruptions, reputational damage, and legal consequences for affected organizations.

European organizations should prioritize upgrading to the latest version of NMIS/BioDose that supports Windows user authentication for the database connection, thereby enforcing proper access controls at the database level. Until upgrades are applied, organizations should restrict network access to the database server using network segmentation and firewall rules, limiting connections only to trusted clients. Implementing strong monitoring and logging of database access can help detect anomalous activities. Additionally, organizations should review and harden SQL Server permissions to minimize privileges granted to the shared account. Employing encryption for database connections (e.g., TLS) can reduce the risk of interception. Regularly auditing client and server configurations to ensure no default or weak credentials are used is also critical. Finally, organizations should prepare incident response plans specific to potential data breaches involving this software.