Key Points
- CISA discovered a backdoor in Contec CMS8000 patient monitoring devices, exposing sensitive patient data.
- The vulnerability (CVE-2025-0626) allows unauthorized data transmission to a third-party IP address.
- Two additional security flaws (CVE-2024-12248, CVE-2025-0683) pose risks of remote code execution and privacy breaches.
- The FDA advises disconnecting affected devices from networks to prevent potential cyber threats.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has released a report uncovering security vulnerabilities in the Contec CMS8000 patient monitoring system, widely used in hospitals and healthcare facilities. The report revealed that three firmware versions of the device contained a backdoor with a hardcoded IP address, transmitting patient data without authorization. These devices connect to central monitoring systems via wired or wireless networks, making them susceptible to cyber threats.
CISA’s investigation found that the affected devices transmitted detailed patient information, including doctors’ names, hospital departments, admission dates, birth dates, and other sensitive data. This vulnerability has been designated as CVE-2025-0626, receiving a CVSS v4 score of 7.7, indicating a high-risk security flaw. Two additional vulnerabilities were identified: CVE-2024-12248, which allows remote data writing and potential code execution, and CVE-2025-0683, which poses a significant privacy risk.
The FDA has acknowledged the cybersecurity risks posed by these vulnerabilities but stated that it has no evidence of any related cybersecurity incidents, injuries, or deaths. Contec Medical Systems, a China-based medical device manufacturer, supplies these patient monitors to hospitals, clinics, and healthcare facilities in the United States, the European Union, and over 130 other countries. These devices can also be purchased on platforms like eBay for $599 and rebranded as Epsimed MN-120.
CISA noted that the hardcoded IP address does not belong to any medical device manufacturer but is linked to a third-party university. However, the agency did not disclose the university’s name, the specific IP address, or the country receiving the data. The investigation ruled out the possibility that this was an alternative update system, as it lacked standard version tracking and integrity checks. Instead, it appeared to involve remote file sharing and data transmission.
The FDA recommends immediately disconnecting these devices from networks to prevent unauthorized data access. Contec has not addressed the issue or released a firmware update to fix the vulnerabilities. Given ongoing cybersecurity concerns and past cyberattacks originating from China, the discovery of this backdoor has raised alarm among healthcare professionals and cybersecurity experts.
