The Contec CMS8000 patient monitor, a widely used device in healthcare settings, has been found to have vulnerabilities that could put patient data at risk. The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the monitor, manufactured by a Chinese company, has a backdoor that can exfiltrate patient data to a hard-coded IP address and allow for the download and execution of unverified files.
The presence of this backdoor in the monitor’s firmware presents a serious risk to patient safety, as it could potentially lead to improper responses to vital signs displayed by the device. CISA, after being alerted to the monitor’s suspicious functions by an external researcher, identified three vulnerabilities in the firmware:
1. A reverse backdoor (CVE-2025-0626) that connects to a hard-coded IP address and allows for the uploading and overwriting of files
2. An out-of-bounds write flaw (CVE-2024-12248) that could enable attackers to write arbitrary data to the device through specially formatted UDP requests
3. A vulnerability (CVE-2025-0683) that results in the collection and transmission of plaintext patient and monitor sensor data to the hard-coded IP address
The IP address linked to the monitor is not associated with a medical facility but with a third-party university in China. This raises concerns about the potential misuse of the collected patient data and underscores the need for increased vigilance regarding cybersecurity in healthcare.
The lack of an alternative update mechanism, integrity-checking mechanisms, and version tracking in the backdoor function further exacerbate the security risks posed by the monitor. Without proper oversight and monitoring, hospitals and healthcare providers may be unaware of the software running on the device, making it difficult to ensure the safety and privacy of patient data.
While the US Food and Drug Administration (FDA) has not reported any cybersecurity incidents or harm related to these vulnerabilities, it recommends that healthcare providers remain alert for signs of unusual activity and disable remote monitoring features on the affected monitors. In the absence of a patch for these flaws, providers are advised to consider alternative patient monitoring solutions to mitigate the potential risks posed by the Contec CMS8000 and Epsimed MN-120 monitors.
In conclusion, the discovery of these vulnerabilities underscores the critical need for robust cybersecurity measures in medical devices, especially those used in healthcare settings where patient data security is paramount. Healthcare organizations, patients, and caregivers must prioritize the protection of sensitive information and take proactive steps to address vulnerabilities in monitoring devices to safeguard patient safety and privacy.