Overview
A critical security vulnerability, identified as CVE-2025-62575, has been discovered in NMIS/BioDose V22.02 and all previous versions. This vulnerability stems from the software’s reliance on a Microsoft SQL Server database and the default configuration that grants the ‘nmdbuser’ account, along with other created accounts, the sysadmin role. This excessive privilege allows for potential remote code execution (RCE) through the exploitation of built-in stored procedures.
Technical Details
The core of the vulnerability lies in the overly permissive database permissions granted to the default ‘nmdbuser’ account and other created accounts. The sysadmin role in Microsoft SQL Server provides virtually unrestricted access to the database server, including the ability to execute system-level commands. Attackers who gain access to the ‘nmdbuser’ credentials (or other accounts with this role) can leverage this access to execute arbitrary code on the underlying server by using specific extended stored procedures. This could involve gaining full control of the system, compromising sensitive data, or disrupting critical services.
CVSS Analysis
- CVE ID: CVE-2025-62575
- Severity: HIGH
- CVSS Score: 8.3
A CVSS score of 8.3 indicates a high-severity vulnerability. This score is based on the potential for remote, unauthenticated attackers to execute arbitrary code, leading to complete system compromise. Due to the sysadmin role, no other privilege escalation is needed for an attacker to pivot and cause harm.
Possible Impact
The exploitation of CVE-2025-62575 can have severe consequences, especially within a medical environment where NMIS/BioDose systems are used. Potential impacts include:
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the server hosting the NMIS/BioDose database.
- Data Breach: Sensitive patient data and other confidential information stored in the database can be accessed and stolen.
- System Compromise: Attackers can gain complete control over the affected systems, leading to denial of service, data manipulation, and further lateral movement within the network.
- Disruption of Medical Services: Compromised systems can lead to the disruption of critical medical services and potentially endanger patient safety.
Mitigation or Patch Steps
To mitigate the risk posed by CVE-2025-62575, the following steps are recommended:
- Restrict Database Privileges: Immediately revoke the
sysadminrole from the ‘nmdbuser’ account and any other accounts that do not require such elevated privileges. Implement the principle of least privilege, granting only the necessary permissions for each user account to perform its required functions. Consult the NMIS/BioDose documentation for specific privilege requirements. - Apply Patches: Check the vendor’s website for available patches or updates to NMIS/BioDose. Apply the latest security patches as soon as possible to address the underlying vulnerability.
- Network Segmentation: Implement network segmentation to isolate the NMIS/BioDose systems from other critical network segments. This can limit the potential impact of a successful attack.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities in the NMIS/BioDose systems and the surrounding infrastructure.
- Monitor System Activity: Implement robust security monitoring and logging to detect any suspicious activity that may indicate an attempted exploitation of the vulnerability.
