CVE-2025-62575 is a vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting Mirion Medical's EC2 Software NMIS BioDose, specifically versions up to V22.02. The software relies on a Microsoft SQL Server backend where the SQL user account 'nmdbuser' and other accounts created by default are assigned the sysadmin role. This role grants unrestricted administrative privileges over the SQL Server instance, which is excessive for typical application operations. Due to this misconfiguration, an attacker with network access to the SQL Server can leverage built-in stored procedures to execute arbitrary code remotely, leading to potential full system compromise. The vulnerability does not require user interaction and has a low attack complexity, with only limited privileges needed (SQL user with sysadmin role). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H, I:H, A:L). Although no public exploits are currently known, the vulnerability poses a significant risk due to the critical permissions granted by default. The root cause is improper permission assignment during installation or configuration, violating the principle of least privilege. This vulnerability could allow attackers to execute arbitrary commands on the host system, access or modify sensitive medical data, disrupt operations, or pivot to other network assets. Given the critical nature of medical data and regulatory frameworks such as GDPR, exploitation could have severe legal and operational consequences.

For European organizations, particularly those in healthcare, medical research, and radiation safety sectors using Mirion Medical's EC2 Software NMIS BioDose, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive patient and research data, violating GDPR and other data protection regulations. The ability to execute arbitrary code remotely could result in ransomware deployment, data destruction, or prolonged system outages, severely impacting patient care and operational continuity. Additionally, compromised systems could be used as footholds for lateral movement within hospital or research networks, increasing the attack surface. The reputational damage and potential regulatory fines from data breaches would be significant. Given the critical role of NMIS BioDose in radiation dose monitoring and safety compliance, disruption could also lead to non-compliance with safety standards, endangering personnel and patients. The high CVSS score reflects the severity and ease of exploitation, emphasizing the urgency for European organizations to address this vulnerability promptly.

1. Immediately audit and reduce the privileges of the 'nmdbuser' and any other SQL accounts created by the EC2 Software NMIS BioDose installation, removing the sysadmin role and assigning only the minimum necessary permissions. 2. Implement network segmentation and firewall rules to restrict access to the SQL Server instance only to authorized application servers and administrators. 3. Enable detailed logging and monitoring of SQL Server activities, focusing on the use of stored procedures and privilege escalations. 4. Apply principle of least privilege in all database and application configurations, reviewing default settings during installation or upgrades. 5. If available, apply vendor patches or updates addressing this vulnerability as soon as they are released; if no patches exist, consider compensating controls such as isolating the database server. 6. Conduct regular vulnerability assessments and penetration testing focused on database security and privilege management. 7. Train IT and security staff on secure configuration practices for Microsoft SQL Server and the specific application to prevent recurrence. 8. Develop and test incident response plans for potential exploitation scenarios involving database compromise.