The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued urgent warnings regarding a critical security vulnerability in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors.
Severe Cybersecurity Risk Identified
The vulnerability, designated CVE-2025-0626, has been assigned a CVSS v4 severity score of 7.7, indicating a high-risk threat. Discovered by an anonymous security researcher, this flaw—along with two additional vulnerabilities—poses a significant cybersecurity risk.
According to CISA, "The affected product sends remote access requests to a hard-coded IP address, bypassing device network settings." This behavior effectively creates a backdoor, enabling threat actors to upload and overwrite files remotely.
More alarmingly, the backdoor automatically connects to an external hard-coded IP address, allowing the download and execution of unverified remote files. Investigations reveal that the associated IP address is not linked to any medical device manufacturer or healthcare facility, but rather to a third-party university.
Additional Security Vulnerabilities
Beyond the critical backdoor, two other vulnerabilities have been identified:
CVE-2024-12248 (CVSS v4 score: 9.3) – Out-of-Bounds Write Vulnerability
Allows attackers to exploit specially crafted UDP requests to write arbitrary data, potentially leading to remote code execution.CVE-2025-0683 (CVSS v4 score: 8.2) – Privacy Leak
Patient data is transmitted in plain text to a hard-coded public IP address whenever the monitor is in use, creating opportunities for data interception and adversary-in-the-middle (AitM) attacks.
If exploited, CVE-2025-0683 could allow an attacker to intercept sensitive patient data, breaching medical confidentiality and regulatory compliance.
Impacted Devices and Firmware Versions
The following Contec CMS8000 firmware versions are affected:
Firmware version: smart3250-2.6.27-wlan2.1.7.cramfs
Firmware version: CMS7.820.075.08/0.74(0.75)
Firmware version: CMS7.820.120.01/0.93(0.95)
All CMS8000 versions (CVE-2025-0626 and CVE-2025-0683)
FDA and CISA Urge Immediate Action
While no known exploits, injuries, or fatalities have been reported, the FDA warns that these vulnerabilities could allow unauthorized access and manipulation of medical devices.
CISA’s Recommended Mitigation Measures
Due to the lack of available patches, CISA strongly advises organizations to disconnect and remove Contec CMS8000 monitors from their networks immediately. Healthcare providers should:
Inspect patient monitors for anomalies, such as discrepancies between displayed and actual patient vitals.
Monitor network activity for unusual data transmission or remote access attempts.
Review procurement practices, as these devices are rebranded and sold under different names, including Epsimed MN-120.
Manufacturer and Global Distribution
The CMS8000 Patient Monitor is manufactured by Contec Medical Systems, based in Qinhuangdao, China. The company claims its medical devices are FDA-approved and distributed in over 130 countries.
Final Thoughts
The discovery of these unpatched, critical vulnerabilities underscores the importance of cybersecurity vigilance in medical device procurement and deployment. Organizations relying on Contec CMS8000 monitors must take immediate action to mitigate security risks and protect patient data.
For ongoing updates, visit CISA’s official advisory page and consult with cybersecurity experts to ensure compliance with healthcare security standards.