Overview
CVE-2025-61940 is a high-severity vulnerability affecting NMIS/BioDose versions 22.02 and earlier. This vulnerability stems from the software’s reliance on a single, common SQL Server user account for database access. While the client application implements password authentication, the underlying database connection remains consistently accessible, potentially allowing unauthorized data access and manipulation.
Technical Details
The vulnerability lies in the fact that all users, regardless of their client-side credentials, ultimately connect to the SQL Server database using the same shared account. This bypasses the intended access controls enforced by the client application. An attacker who gains access to this shared database credential, or leverages an SQL injection flaw within the application, could potentially read, modify, or delete sensitive data within the NMIS/BioDose database.
CVSS Analysis
- CVSS Score: 8.3 (HIGH)
This score reflects the potential for significant impact. Successful exploitation could lead to unauthorized access to sensitive medical data, potentially impacting patient care and privacy.
Possible Impact
Exploitation of CVE-2025-61940 could have severe consequences, including:
- Data Breach: Unauthorized access to patient records and other sensitive data.
- Data Manipulation: Modification of patient data, leading to incorrect treatment or diagnosis.
- System Compromise: Potential for further exploitation of the database server itself.
- Compliance Violations: Violations of HIPAA and other data privacy regulations.
Mitigation and Patch Steps
The recommended mitigation is to upgrade to the latest version of NMIS/BioDose, which introduces the option to use Windows user authentication with the database. This allows for more granular access control and reduces the risk associated with a shared database account. If upgrading is not immediately possible, consider the following temporary measures:
- Network Segmentation: Isolate the NMIS/BioDose server and database server on a separate network segment.
- Database Monitoring: Implement monitoring to detect suspicious database activity.
- Restrict Network Access: Limit network access to the SQL Server to only authorized devices and users.
- Apply the latest security updates for SQL Server. Ensure that the SQL Server instance is properly hardened and has the latest security patches applied.
