Pierluigi Paganini February 01, 2025

The U.S. CISA and the FDA warned of a hidden backdoor in Contec CMS8000 and Epsimed MN-120 patient monitors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) warned that three flaws in Contec CMS8000 and Epsimed MN-120 patient monitors could endanger patients when connected to the internet. The CMS8000 Patient Monitor is made by China-based company Contec Medical Systems.

An anonymous external researcher reported the three vulnerabilities in patient monitors to CISA. The issues are an unauthorized remote control, a backdoor risk, and data exfiltration of personally identifiable information (PII) and protected health information (PHI).

One of these vulnerabilities, tracked as CVE-2025-0626 (CVSS score of 7.7), is a hidden backdoor with a hard-coded IP address.

“Contec Health CMS8000 Patient Monitor sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device.” reads the advisory.

“This fact sheet details an analysis of three firmware package versions of the Contec CMS8000, a patient monitor used by the U.S. Healthcare and Public Health (HPH) sector. Analysts discovered that an embedded backdoor function with a hard-coded IP address, CWE – 912: Hidden Functionality
 (CVE-2025-0626), and functionality that enables patient data spillage, CWE – 359: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2025-0683), exists in all versions analyzed.” reported CISA.

Another flaw affecting the Contec CMS8000 patient monitors is an out-of-bounds write vulnerability tracked as CVE-2024-12248 (CVSS score of 9.3). An attacker could trigger this flaw by sending specially formatted UDP requests to write arbitrary data and achieve remote code execution.

The third vulnerability, tracked as CVE-2025-0683 (CVSS score of 8.2), is a privacy leakage issue that causes plain-text patient data to be transmitted to a hard-coded public IP address when the patient is attached to the monitor.

“In its default configuration, Contec Health CMS8000 Patient Monitor transmits plain-text patient data to a hard-coded public IP address when a patient is hooked up to the monitor.” reads the advisory. “This could lead to a leakage of confidential patient data to any device with that IP address or an attacker in a machine-in-the-middle scenario.”

The vulnerabilities impact the following products:

• CMS8000 Patient Monitor: Firmware version smart3250-2.6.27-wlan2.1.7.cramfs
• CMS8000 Patient Monitor: Firmware version CMS7.820.075.08/0.74(0.75)
• CMS8000 Patient Monitor: Firmware version CMS7.820.120.01/0.93(0.95)
• CMS8000 Patient Monitor: All versions (CVE-2025-0626 and CVE-2025-0683)

The FDA is not aware of attacks in the wild exploiting these vulnerabilities. 

“These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device.” states the FDA. The FDA is not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time.” 

CISA urges organizations to disconnect Contec CMS8000 and Epsimed MN-120 monitors due to unpatched vulnerabilities and monitor for unusual device behavior.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CMS8000)