CVE-2025-62575 is a vulnerability categorized under CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting Mirion Medical's EC2 Software NMIS BioDose, versions 22.02 and earlier. The software relies on a Microsoft SQL Server backend where the default SQL user account 'nmdbuser' and other accounts are incorrectly assigned the sysadmin role by default. This excessive permission grants attackers the ability to execute remote code by exploiting certain built-in stored procedures within SQL Server. The vulnerability does not require user interaction or prior authentication, making it remotely exploitable over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N) reflects a network attack vector with low complexity and no user interaction, requiring only limited privileges but resulting in high confidentiality and integrity impact. Although no public exploits have been reported yet, the potential for remote code execution poses a serious threat to the confidentiality, integrity, and availability of systems running this software. The vulnerability is particularly critical in healthcare environments where the software is used to manage radiation dose data, making the protection of patient data and system availability paramount. The lack of available patches at the time of disclosure necessitates immediate compensating controls to reduce risk.

For European organizations, especially those in the healthcare sector using Mirion Medical's EC2 Software NMIS BioDose, this vulnerability could lead to unauthorized remote code execution on critical systems managing sensitive patient radiation dose data. This can result in data breaches compromising patient confidentiality, manipulation or deletion of critical medical data affecting treatment integrity, and potential system downtime impacting healthcare delivery. Given the regulatory environment in Europe, including GDPR and medical device regulations, exploitation could also lead to significant legal and compliance consequences. The ability to execute code remotely without user interaction or authentication increases the risk of widespread exploitation, potentially affecting multiple healthcare providers and associated supply chains. The impact extends beyond data loss to patient safety risks if medical devices or treatment planning systems are compromised.

Immediate mitigation steps include auditing and reducing the privileges of all SQL Server accounts used by the NMIS BioDose software, especially removing the sysadmin role from 'nmdbuser' and any other accounts with excessive permissions. Network segmentation should be enforced to restrict access to the SQL Server instance only to trusted hosts and administrators. Implement strict monitoring and alerting for unusual database activities, such as execution of stored procedures by non-administrative users. Organizations should engage with Mirion Medical for any forthcoming patches or updates addressing this issue and plan for timely deployment. Additionally, applying SQL Server security best practices, such as using least privilege principles, disabling unused stored procedures, and enforcing strong authentication mechanisms, will help reduce risk. Backup and recovery plans should be reviewed and tested to ensure resilience against potential exploitation. Finally, conducting penetration testing and vulnerability scanning focused on this vulnerability can help identify exposure and verify mitigation effectiveness.