Mirion Medical EC2 Software NMIS BioDose

Plan PatchCVSS 8.4ICS-CERT ICSMA-25-336-01Dec 2, 2025

Healthcare

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

EC2 Software NMIS BioDose versions prior to 23.0 contain multiple vulnerabilities related to improper file permissions (CWE-732), missing origin validation (CWE-603), and hardcoded credentials (CWE-798). Successful exploitation could allow modification of program executables, unauthorized access to the application, theft of sensitive information, and arbitrary code execution.

What this means

What could happen

An attacker with local access to a BioDose system could modify program files, execute arbitrary code, or access sensitive patient or dosimetry data. This could compromise the accuracy of radiation dose calculations used in cancer treatment planning.

Who's at risk

Healthcare organizations using Mirion Medical EC2 Software NMIS BioDose for radiation treatment planning and dose calculation. This affects medical physics departments, cancer treatment centers, and radiation oncology clinics that rely on BioDose for accurate dosimetry in radiation therapy.

How it could be exploited

An attacker with local access to the EC2 Software BioDose workstation could exploit improper file permissions or hardcoded credentials to modify executable files or configuration settings. Once the executable is modified, arbitrary code runs with the privileges of the BioDose application, potentially affecting dose calculations or accessing protected health information stored on the system.

Prerequisites

Local access to the EC2 Software NMIS BioDose workstation or system
Version prior to 23.0 installed

Local access required (lower remote risk)High CVSS score (8.4)File permission and credential hardcoding vulnerabilitiesSafety-critical application (impacts patient radiation doses)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

EC2 Software NMIS BioDose: <23.0<23.023.0+

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and network access to BioDose workstations to authorized medical physics staff only

HARDENINGIsolate BioDose systems from general hospital IT networks and Internet access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EC2 Software NMIS BioDose to version 23.0 or later

HARDENINGImplement access controls and audit logging for any administrative or engineering access to BioDose systems

CVEs (5)

CVE-2025-64642 CVE-2025-64298 CVE-2025-61940 CVE-2025-64778 CVE-2025-62575

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fab73ab8-e1c7-4662-9e04-04641af9c604

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.