PT-2025-48778 · Unknown+1 · Nmis/Biodose+1
Published
2025-12-02
·
Updated
2025-12-02
·
CVE-2025-62575
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NMIS/BioDose versions prior to 22.02
Description
The software relies on a Microsoft SQL Server database where the SQL user account
nmdbuser and other created accounts are assigned the 'sysadmin' role by default. This configuration can allow for remote code execution through the use of specific built-in stored procedures.Recommendations
Ensure the
nmdbuser account and any other created accounts do not have the 'sysadmin' role assigned to them. Restrict the privileges of these accounts to the minimum necessary for their intended function.Fix
RCE
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sql Server
Nmis/Biodose