Contec CMS8000 Patient Monitors Vulnerable to Cyber Threats: CISA and FDA Warning

February 1, 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have raised concerns about certain vulnerabilities in Contec CMS8000 and Epsimed MN-120 patient monitors. These devices, which are produced by the China-based firm Contec Medical Systems, have been identified as having three specific vulnerabilities that could pose serious risks to patients if the devices are connected to the internet.

The vulnerabilities were reported to CISA by an anonymous external researcher. They include the possibility of unauthorized remote control, a backdoor risk, and the potential for data exfiltration of personally identifiable information (PII) and protected health information (PHI).

One of the vulnerabilities, known as CVE-2025-0626 and with a CVSS score of 7.7, is a hidden backdoor with a hard-coded IP address. The advisory states, “Contec Health CMS8000 Patient Monitor sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device.”

CISA reported that this backdoor function, along with a functionality that allows patient data spillage, exists in all versions of the Contec CMS8000 that were analyzed.

Another vulnerability impacting the Contec CMS8000 patient monitors is an out-of-bounds write vulnerability, tracked as CVE-2024-12248 with a CVSS score of 9.3. This flaw could be exploited by an attacker sending specially formatted UDP requests to write arbitrary data and achieve remote code execution.

The third vulnerability, identified as CVE-2025-0683 with a CVSS score of 8.2, is a privacy leakage issue that results in plain-text patient data being transmitted to a hard-coded public IP address when the patient is connected to the monitor.

The FDA has stated that it is currently unaware of any attacks in the wild exploiting these vulnerabilities, and there have been no reported cybersecurity incidents, injuries, or deaths related to these vulnerabilities. However, CISA has urged organizations to disconnect Contec CMS8000 and Epsimed MN-120 monitors due to these unpatched vulnerabilities and to monitor for unusual device behavior.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• Voyager PHP Package Vulnerabilities Open Path to One-Click RCE Exploits
• New Aquabotv3 Botnet Malware Exploits Mitel Command Injection Vulnerability
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog