CVE-2025-64298 is a vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting Mirion Medical's EC2 Software NMIS BioDose, specifically versions 22.02 and earlier that utilize embedded Microsoft SQL Server Express. The core issue is that the Windows network share hosting the SQL Server database and configuration files is configured with insecure directory permissions, allowing any client on the network to access these critical files without authentication. These files may contain sensitive patient data, configuration settings, or other critical information that could be read or modified by unauthorized users. The vulnerability is exploitable remotely within the local network (AV:L), requires low attack complexity (AC:L), and does not require privileges, authentication, or user interaction (PR:N, AT:N, UI:N). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H), as attackers could exfiltrate sensitive data, alter configurations, or disrupt service. No known public exploits exist yet, but the vulnerability is publicly disclosed and rated with a CVSS 4.0 score of 8.6, indicating a high risk. The vulnerability is particularly concerning for healthcare environments where patient data confidentiality and system availability are paramount. The lack of secure permissions on network shares is a common misconfiguration but critical in this context due to the sensitive nature of the data and the embedded database technology used. The vulnerability affects networked installations where the SQL Server Express instance is shared over Windows SMB shares accessible by clients, increasing the attack surface within internal networks. The vendor has not yet released a patch, so mitigation currently relies on configuration changes and network controls.

For European organizations, especially healthcare providers using Mirion Medical's EC2 Software NMIS BioDose, this vulnerability poses a significant risk to patient data confidentiality and system integrity. Unauthorized access to SQL Server database files could lead to data breaches involving sensitive medical information, violating GDPR and other data protection regulations, potentially resulting in heavy fines and reputational damage. Integrity compromises could disrupt medical dose monitoring or reporting functions, impacting patient safety and clinical decision-making. Availability impacts could arise if attackers modify or delete critical files, causing system downtime or malfunction. The vulnerability's exploitation within internal networks means that insider threats or lateral movement by attackers who have breached perimeter defenses could leverage this weakness. Given the critical nature of medical data and regulatory scrutiny in Europe, the impact extends beyond technical damage to legal and compliance consequences. Additionally, the exposure of configuration files could reveal system details that facilitate further attacks. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the likelihood of successful attacks in poorly segmented or monitored networks.

European organizations should immediately audit and restrict permissions on all Windows shares hosting the EC2 Software NMIS BioDose SQL Server Express files, ensuring that only authorized service accounts and administrators have access. Network segmentation should be enforced to isolate medical device networks from general user networks, minimizing exposure. Implement strict access control lists (ACLs) on SMB shares and monitor access logs for unusual activity. Employ host-based firewalls to restrict SMB traffic to trusted systems only. Regularly back up critical database and configuration files securely to enable recovery in case of tampering. Organizations should engage with Mirion Medical to obtain and apply patches or updates as soon as they become available. Additionally, conduct internal vulnerability assessments and penetration tests focusing on medical device networks to identify similar misconfigurations. Enhance endpoint detection and response (EDR) capabilities to detect lateral movement and unauthorized access attempts. Train IT and security staff on secure configuration practices for embedded databases and network shares. Finally, ensure compliance with GDPR by documenting risk assessments and mitigation steps related to this vulnerability.