Mirion Medical EC2 Software NMIS BioDose

Plan Patch8.4ICS-CERT ICSMA-25-336-01Dec 2, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

EC2 Software NMIS BioDose version 23.0 and earlier contains multiple vulnerabilities related to improper file permissions (CWE-732), missing authentication on critical functions (CWE-603), and hardcoded credentials (CWE-798). These weaknesses allow an attacker with local or adjacent network access to modify program files, access sensitive patient dosimetry information, bypass application authentication, and execute arbitrary code. The vulnerabilities could compromise the integrity of radiation dose calculations and reporting used in clinical treatment planning.

What this means

What could happen

An attacker with local access to the BioDose system could modify program files, steal sensitive data like patient dosimetry records, gain unauthorized access to the application, or run arbitrary code that could alter radiation dose calculations or reporting.

Who's at risk

Healthcare facilities using Mirion Medical EC2 Software NMIS BioDose for radiation dose calculation and management should prioritize remediation. This affects medical physics workstations and radiation oncology planning systems that generate treatment reports and dose documentation used for patient safety.

How it could be exploited

An attacker with physical or local network access to the BioDose workstation could exploit weak file permissions (CWE-732) or hardcoded credentials (CWE-798) to gain elevated privileges, modify program executables, access stored patient and dosimetry data, or inject malicious code into the application.

Prerequisites

Local or adjacent network access to the BioDose system
No credentials required for file permission exploitation (CWE-732)
System running EC2 Software NMIS BioDose version prior to 23.0

Local/adjacent network access required (not remotely exploitable)Weak file permissions (CWE-732)Hardcoded credentials (CWE-798)Affects healthcare data integrity and patient safetyCVSS 8.4 High severity

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

EC2 Software NMIS BioDose: <23.0<23.023.0 or later

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict physical and network access to BioDose workstations—do not expose them directly to business networks or the Internet

HARDENINGPlace BioDose systems behind a firewall and isolate them from business and clinical networks

HARDENINGReview and restrict file system permissions on the BioDose application directories to prevent unauthorized modification of program executables

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EC2 Software NMIS BioDose to version 23.0 or later

HARDENINGIf remote access to BioDose is necessary, use a VPN and ensure the VPN is kept current with security updates

CVEs (5)

CVE-2025-64642 CVE-2025-64298 CVE-2025-61940 CVE-2025-64778 CVE-2025-62575

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fab73ab8-e1c7-4662-9e04-04641af9c604