Backdoor found in widely used Contec CMS8000 patient monitors

Backdoor found in widely used Contec CMS8000 patient monitors

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning of a backdoor in Contec CMS8000 medical devices, which could expose them to cyberattacks.

The Contec CMS8000, primarily used in medical settings for patient monitoring, has been found to contain multiple security flaws. These vulnerabilities, which have not been addressed by the manufacturer, leave devices open to exploitation, potentially allowing attackers to gain unauthorized access to hospital networks or patient data.

“The Contec CMS8000 is used in medical settings in the US and European Union to provide continuous monitoring of a patient’s vital signs. CISA assesses that inclusion of this backdoor in the firmware of the patient monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration, introducing risk to patient safety as a malfunctioning patient monitor could lead to an improper response to patient vital signs,” the advisory said.

It should be noted that the Contec CMS8000 devices are often re-labeled and sold under the name Epsimed MN-120.

A vulnerability, tracked as CVE-2025-0626, stems from the affected product sending remote access requests to a hard-coded IP address, bypassing the device's network settings. This could potentially create a backdoor, enabling an attacker to upload and overwrite files on the device.

The reverse backdoor grants automatic connectivity from Contec CMS8000 devices to the hard-coded IP, allowing them to download and execute unverified remote files. Publicly available information shows that the IP address in question is linked to a third-party university in China, not a medical device manufacturer or medical facility.

In addition to CVE-2025-0626, two other vulnerabilities have been discovered. Of the the issues is CVE-2024-12248, an out-of-bounds write vulnerability that could let an attacker send specially crafted UDP requests to write arbitrary data, leading to potential remote code execution. The second flaw is CVE-2025-0683, a privacy issue where plain-text patient data is sent to a hard-coded public IP address when a patient is connected to the monitor. Exploiting this flaw could allow unauthorized access to sensitive patient information or enable an adversary-in-the-middle (AitM) attack.

The security vulnerabilities affect the following products:

  • CMS8000 Patient Monitor: Firmware version smart3250-2.6.27-wlan2.1.7.cramfs

  • CMS8000 Patient Monitor: Firmware version CMS7.820.075.08/0.74(0.75)

  • CMS8000 Patient Monitor: Firmware version CMS7.820.120.01/0.93(0.95)

  • CMS8000 Patient Monitor: All versions (CVE-2025-0626 and CVE-2025-0683)

Until a patch is released, healthcare organizations are urged to remove the vulnerable devices from their systems, conduct a thorough audit of their networks, and consider alternative monitoring solutions.


Back to the list

Latest Posts

Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025
Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025