Skip to main content
CyberSecurity

CISA, FDA Warn of Critical Backdoor in Contec CMS8000 Monitors

simran January 31, 2025
CISA, FDA Warn of Critical Backdoor in Contec CMS8000 Monitors

Critical Backdoor in Contec Patient Monitors

Vulnerability Alert

U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of hidden functionality in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors.

The Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors contain a critical backdoor that allows unauthorized access to the device.

Vulnerability Details

The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 score of 7.7 on a scale of 10.0.

The flaw, alongside two other issues, was reported to CISA by an anonymous external researcher.

"The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so," CISA said in an advisory. "This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device."

Identified Vulnerabilities

Two other identified vulnerabilities in the devices are listed below:

  • CVE-2024-12248 (CVSS v4 score: 9.3) – An out-of-bounds write vulnerability that could allow an attacker to send specially formatted UDP requests in order to write arbitrary data, resulting in remote code execution.
  • CVE-2025-0683 (CVSS v4 score: 8.2) – A privacy leakage vulnerability that causes plain-text patient data to be transmitted to a hard-coded public IP address when the patient is attached to the monitor.

Affected Products

The security holes affect the following products:

  • CMS8000 Patient Monitor: Firmware version smart3250-2.6.27-wlan2.1.7.cramfs
  • CMS8000 Patient Monitor: Firmware version CMS7.820.075.08/0.74(0.75)
  • CMS8000 Patient Monitor: Firmware version CMS7.820.120.01/0.93(0.95)
  • CMS8000 Patient Monitor: All versions (CVE-2025-0626 and CVE-2025-0683)

Recommendations

CISA is recommending that organizations unplug and remove any Contec CMS8000 devices from their networks.

It’s also advised to check the patient monitors for any signs of unusual functioning, such as "inconsistencies between the displayed patient vitals and the patient’s actual physical state."

Manufacturer Information

CMS8000 Patient Monitor is manufactured by Contec Medical Systems, a developer of medical devices that are located in Qinhuangdao, China.

On its website, the company claims its products are FDA-approved and distributed to over 130 countries and regions.

Stay Informed

Follow us on Twitter and LinkedIn to read more exclusive content we post.

Found this article interesting? Share it with your friends and colleagues to spread the word about this critical vulnerability.

Don’t forget to follow us on Twitter and LinkedIn to stay up-to-date with the latest cybersecurity news and alerts.


Source Link

Next Post

You May Also Like

XTRIS: Addictive Arcade GameNews

XTRIS: Addictive Arcade Game

March 3, 2025
Protesters hold signs at a protest against Elon Musk and Donald Trump on Feb. 18, 2025 San Diego, California.
Judge Won’t Stop Elon Musk’s Gov’t TakedownNews

Judge Won’t Stop Elon Musk’s Gov’t Takedown

February 18, 2025
A Tesla supercharger station filled with electric cars.
Tesla Tests Virtual Queues at StationsNews

Tesla Tests Virtual Queues at Stations

February 21, 2025

FUSION MAG