CVE-2025-61940 is a vulnerability classified under CWE-603 (Use of Client-Side Authentication) affecting Mirion Medical's EC2 Software NMIS BioDose, specifically version 22.02 and prior. The core issue lies in the software's reliance on a shared SQL Server user account for database access, where the client application enforces user authentication via password checks, but the underlying database connection credentials remain constant and broadly permissive. This architectural flaw means that once an attacker gains access to the client application environment, they can bypass client-side authentication and directly interact with the database using the shared credentials, potentially leading to unauthorized data access or modification. The vulnerability does not require user interaction or elevated privileges beyond local access, and the attack vector is network-based with low complexity. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N) reflects high confidentiality and integrity impacts, with limited availability impact and no scope change. The vendor has addressed this issue in the latest NMIS/BioDose version by introducing an option for Windows user authentication, which ties database access to individual Windows user accounts, thereby restricting unauthorized database connections. No known exploits are currently reported in the wild, but the vulnerability's nature and impact warrant urgent attention, especially in environments handling sensitive medical data.

For European organizations, particularly those in healthcare, medical research, and radiation safety sectors using Mirion Medical's NMIS BioDose software, this vulnerability poses significant risks. Unauthorized access to the database could lead to exposure or manipulation of sensitive patient data, radiation dose records, or compliance-related information, potentially violating GDPR and other data protection regulations. Integrity breaches could result in inaccurate dose measurements or reports, impacting patient safety and regulatory compliance. The ease of exploitation without user interaction or elevated privileges increases the threat level, especially in environments where endpoint security or network segmentation is insufficient. Disruption or data tampering could also undermine trust in medical devices and software, leading to operational and reputational damage. Given the critical nature of medical data and regulatory scrutiny in Europe, the impact extends beyond technical compromise to legal and financial consequences.

European organizations should prioritize upgrading to the latest NMIS/BioDose version that supports Windows user authentication to enforce per-user database access controls. Until upgrades are applied, restrict network access to the SQL Server instance hosting the NMIS/BioDose database using firewalls and network segmentation to limit exposure. Implement strict access controls on client machines running the software, including endpoint protection and least privilege principles to reduce the risk of local compromise. Monitor database access logs for unusual activity indicative of unauthorized access attempts. Consider deploying database activity monitoring tools to detect and alert on anomalous queries or connections. Conduct regular audits of user accounts and credentials used by the software to ensure no unauthorized sharing or leakage. Engage with Mirion Medical support for any available patches or workarounds and maintain awareness of emerging exploit reports. Finally, integrate this vulnerability into incident response plans to enable rapid containment if exploitation is suspected.