A remote code execution vulnerability and a hidden backdoor have been identified in the firmware of widely used patient monitors from Contec Health — Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors. Testing by the Cybersecurity and Infrastructure Security Agency (CISA) determined the backdoor allows patient data to be sent to a hard-coded IP address.Contec Health is a Chinese healthcare technology company that provides patient monitoring systems, diagnostic equipment, and laboratory instruments. Its products are extensively used by healthcare organizations in the United States and Europe. After being alerted to firmware vulnerabilities by an anonymous researcher, CISA investigated and confirmed the presence of three vulnerabilities in multiple firmware versions, including a backdoor that silently transfers patient data in plain text to an external hard-coded IP address.The backdoor was present in all versions of the Contec Health CMS8000 Patient Monitor and Epsimed MN-120 Patient Monitor. In their default configuration, the products transmit patient data in plain text to a public IP address when a patient is connected to the patient monitor. Any device with that hard-coded IP address will receive patient data, and since patient data is transmitted in plain text, it could be intercepted in a machine-in-the-middle attack. Transmitted patient data includes the doctor’s name, patient ID, patient’s name, patient’s date of birth, and monitoring information. Data transmission commences whenever the patient monitors are connected to the Internet, including in a healthcare setting or home setting.The hidden backdoor sends out remote access requests to the hard-coded IP address, bypassing device network settings. Through the backdoor, a malicious actor could upload and overwrite files on the device. The vulnerability is tracked as CVE-2025-0626 and has a CVSS v3.1 base score of 7.5 (CVSS v4 7.7). The disclosure of personal information vulnerability is tracked as CVE-2025-0683 and has been assigned a CVSS v3.1 base score of 5.9 (CVSS v4 8.2).A third vulnerability was identified in three firmware versions that can lead to remote code execution. The critical vulnerability is tracked as CVE-2024-12248 and has been assigned a CVSS v3.1 base score of 9.8 (CVSS v4 9.3). The out-of-bounds write vulnerability allows an attacker to send specially formatted UDP requests and write arbitrary data, which could lead to remote code execution. allowing an attacker to take control of the devices. The vulnerability affects the following firmware versions:* CMS8000 Patient Monitor: Firmware version smart3250-2.6.27-wlan2.1.7.cramfs* CMS8000 Patient Monitor: Firmware version CMS7.820.075.08/0.74(0.75)* CMS8000 Patient Monitor: Firmware version CMS7.820.120.01/0.93(0.95)CISA warns that it is possible to simultaneously exploit the vulnerabilities on all vulnerable devices on a shared network. The vulnerabilities allow an unauthorized actor to remotely control the patient monitors and obtain patient data. The presence of the backdoor could potentially lead to a compromise of the network to which vulnerable patient monitors are connected. CISA confirmed that the IP address is not associated with Contec Health and has traced the IP address to a university. [*Bleeping Computer*](https://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/) identified the IP address and confirmed it is associated with a Chinese university, and reports that the backdoor is also present in medical equipment from different Chinese healthcare manufacturers, including a pregnancy patient monitor.Both CISA and the U.S. Food and Drug Administration (FDA) have issued warnings about the vulnerabilities ([FDA](https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication), [CISA](https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01)). Immediate action is required to mitigate the vulnerabilities. All vulnerable devices should be disconnected from networks and only local monitoring features of the device should be used until Contec Health releases a firmware update. At present, there is no software patch to mitigate the vulnerabilities.Per the FDA Safety Communication:> * If your patient monitor relies on remote monitoring features, unplug the device and stop using it.> * If your device**does not**rely on remote monitoring features, unplug the device’s ethernet cable and disable wireless (that is, WiFi or cellular) capabilities. If you cannot disable the wireless capabilities, then continuing to use the device will expose the device to the backdoor and possible continued patient data exfiltration.Healthcare facility staff have also been advised to check for unusual factoring, such as inconsistencies between displayed patient vitals and a patient’s physical state.The post [Backdoor Identified in Contec CMS8000 Patient Monitors That Transmits Patient Data](https://www.hipaajournal.com/contec-cms8000-patient-monitors-critical-flaw-backdoor/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
CVE-2024-12248
CVE-2025-0683
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 923 – Administration Of Human Resource Programs
NAICS: 62 – Health Care And Social Assistance
NAICS: 622 – Hospitals
NAICS: 92 – Public Administration
NAICS: 339 – Miscellaneous Manufacturing
NAICS: 33 – Manufacturing – Metal
Electronics And Other
Associated Indicators: