CVE-2025-64778 identifies a critical security flaw in Mirion Medical's EC2 Software NMIS BioDose, versions 22.02 and earlier, where executable binaries contain hard-coded plaintext passwords. This vulnerability falls under CWE-798, which pertains to the use of hard-coded credentials that attackers can extract and use to bypass authentication controls. The embedded passwords provide unauthorized access to both the application layer and the underlying database, potentially allowing attackers to read, modify, or delete sensitive data related to radiation dose monitoring. The CVSS 4.0 vector indicates the attack requires local access (AV:L), low attack complexity (AC:L), no user interaction (UI:N), and low privileges (PR:L), but results in high confidentiality and integrity impact, with limited availability impact. The vulnerability does not require network access or user interaction, but an attacker must have some level of local access, such as through compromised user accounts or insider threats. No public exploits have been reported yet, but the presence of hard-coded credentials is a well-known risk factor that can be leveraged in targeted attacks or insider misuse. The lack of patches at the time of publication necessitates immediate interim mitigations. This vulnerability is particularly concerning for medical and industrial control environments where NMIS BioDose is deployed, as unauthorized access could lead to data manipulation or loss of trust in radiation monitoring results.

For European organizations, especially those in healthcare, nuclear medicine, and radiation safety sectors, this vulnerability poses a significant risk. Unauthorized access to the NMIS BioDose application and database could lead to exposure or alteration of sensitive patient radiation dose data, potentially violating GDPR and other data protection regulations. Integrity breaches could result in incorrect dose reporting, affecting patient safety and regulatory compliance. The local access requirement somewhat limits exploitation scope, but insider threats or compromised local accounts could still lead to serious breaches. Operational disruptions could occur if attackers modify or delete critical data, impacting clinical decision-making and safety monitoring. The reputational damage and potential regulatory penalties for mishandling sensitive medical data could be substantial. Given the critical nature of radiation dose monitoring, any compromise could have downstream effects on patient care quality and safety.

Organizations should immediately audit their NMIS BioDose deployments to identify affected versions and binaries containing hard-coded credentials. Until patches are released, restrict local access to trusted personnel only and monitor for unusual access patterns or privilege escalations. Employ application-layer controls such as multi-factor authentication and network segmentation to limit exposure. Replace hard-coded credentials with secure credential management solutions, such as environment variables or encrypted vaults, once vendor patches or updates become available. Conduct thorough code reviews and binary analysis to detect embedded secrets in custom or legacy software components. Implement strict logging and alerting for access to the NMIS BioDose application and database. Engage with Mirion Medical for timelines on official patches and apply them promptly. Additionally, ensure compliance with data protection regulations by encrypting sensitive data at rest and in transit and maintaining incident response plans tailored to medical device software vulnerabilities.