CVE-2025-64298 is a vulnerability classified under CWE-732, which pertains to incorrect permission assignment for critical resources. The affected product is Mirion Medical's EC2 Software NMIS BioDose, specifically versions 22.02 and earlier, which utilize an embedded Microsoft SQL Server Express instance. In networked installations, the SQL Server database files and configuration files are stored in a Windows share accessible to clients on the network. Due to insecure default directory permissions, these shares allow unauthorized users to access sensitive database files and configuration data without any authentication or user interaction. This exposure can lead to unauthorized disclosure of sensitive patient or operational data, potential data tampering, or disruption of the software's functionality. The vulnerability has a CVSS 4.0 base score of 8.6, indicating a high severity level. The attack vector is local network access (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H). Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of medical data and the critical role of the software in healthcare environments. The vulnerability was reserved on 2025-11-11 and published on 2025-12-02. No patches or updates are currently linked, indicating that mitigation relies on configuration changes and network controls.

The primary impact of CVE-2025-64298 on European organizations, especially healthcare providers, is the unauthorized exposure of sensitive medical and operational data stored within the NMIS BioDose software's SQL Server database and configuration files. This can lead to breaches of patient confidentiality, violations of GDPR and other data protection regulations, and potential legal and financial repercussions. Additionally, unauthorized access could allow attackers to modify or corrupt critical data, impacting the integrity and availability of medical dose monitoring and related functions, potentially endangering patient safety. The vulnerability's exploitation requires network access but no authentication, making it feasible for internal threat actors or attackers who gain network foothold. The lack of user interaction further lowers the barrier for exploitation. Given the critical nature of healthcare infrastructure, successful exploitation could disrupt clinical workflows and damage organizational reputation. The absence of known exploits suggests the threat is currently theoretical but warrants proactive mitigation due to the high impact and ease of exploitation.

To mitigate CVE-2025-64298, organizations should immediately audit and restrict permissions on the Windows shares hosting the NMIS BioDose SQL Server database and configuration files. Access should be limited strictly to authorized service accounts and system administrators. Network segmentation should be enforced to isolate the affected systems from general user networks, reducing exposure to unauthorized clients. Implementing strict firewall rules and access control lists (ACLs) to limit SMB or file share access is critical. Regular monitoring and logging of access to these shares should be enabled to detect anomalous or unauthorized activity promptly. If possible, upgrade to a patched or newer version of the software once available from Mirion Medical. Until patches are released, consider deploying host-based intrusion detection systems (HIDS) and endpoint protection to detect suspicious behavior. Additionally, conduct user awareness training to highlight the risks of network share misconfigurations. Finally, ensure compliance with GDPR by documenting the vulnerability assessment and mitigation steps taken.