A critical backdoor vulnerability has been identified in Contec CMS8000 and Epsimed MN-120 patient monitors, prompting alerts from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA). Tracked as CVE-2025-0626, the flaw allows remote access requests to a hard-coded IP address, potentially enabling malicious actors to upload and overwrite files on the device. The issue was reported by an external researcher and carries a CVSS v4 score of 7.7 out of 10.
The reverse backdoor in the devices allows automated connectivity to a third-party university’s IP address, facilitating the download and execution of unverified remote files. Two additional vulnerabilities have been identified – CVE-2024-12248, enabling remote code execution, and CVE-2025-0683, causing plain-text patient data leakage to a public IP address. These vulnerabilities could lead to unauthorized access to patient information or compromise patient privacy.
Affected products include various versions of the CMS8000 Patient Monitor firmware. The FDA recommends organizations to disconnect and remove these devices from their networks due to the unpatched vulnerabilities. It is advised to monitor the monitors for any unusual behavior and inconsistencies in displayed patient vitals. The devices are also sold under the name Epsimed MN-120.
Contec Medical Systems, the manufacturer of the CMS8000 Patient Monitor, is based in Qinhuangdao, China, and distributes its FDA-approved products to over 130 countries and regions. While no cybersecurity incidents related to these vulnerabilities have been reported, precautions should be taken to mitigate potential risks associated with the identified security flaws.
Source link