The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued urgent notifications regarding a serious vulnerability found in Contec CMS8000 and Epsimed MN-120 patient monitors. This critical flaw involves hidden functionalities that could be exploited by unauthorized actors.
Designated as CVE-2025-0626, the identified vulnerability possesses a CVSS v4 score of 7.7 out of 10. It was disclosed to CISA by an anonymous researcher and allows for the remote sending of access requests to a hard-coded IP address, thereby circumventing the device’s network configurations. CISA described this as a potential backdoor, presenting risks that include unauthorized file uploads and modifications on the device.
Public records indicate that the hard-coded IP address is associated with a third-party university rather than a legitimate medical device manufacturer or healthcare facility. This presents substantial concerns regarding the integrity of the devices in query. In addition to the primary vulnerability, two more serious issues have been identified. The first, tracked as CVE-2024-12248, carries a CVSS v4 score of 9.3 and involves an out-of-bounds write that could permit remote execution of arbitrary code. The second, CVE-2025-0683, has a CVSS score of 8.2 and pertains to privacy issues, wherein unencrypted patient data may be transmitted to an external IP address when a patient is monitored.
The successful exploitation of CVE-2025-0683 could potentially lead to unauthorized access to sensitive patient information and create opportunities for adversarial attacks, such as an adversary-in-the-middle (AitM) scenario. The vulnerabilities impact various firmware versions of the CMS8000, with the FDA highlighting that they are unaware of any related incidents, injuries, or deaths so far.
As these security risks remain unaddressed, CISA is advising organizations to disconnect and remove any Contec CMS8000 devices from their networks. It should be noted that these devices are also marketed under the Epsimed MN-120 name. Organizations are further urged to monitor for unusual device behavior, especially discrepancies in displayed patient vitals versus actual conditions.
The Contec CMS8000 is manufactured by Contec Medical Systems, based in Qinhuangdao, China, which asserts that its products are FDA-compliant and serve over 130 global regions. In a subsequent analysis, cybersecurity firm Claroty posited that the issue may not be due to a covert backdoor but stems from insecure design practices. They noted that the static IP addresses involved are documented in the device’s manuals, suggesting a less malicious intent behind the vulnerability.
In light of this analysis, it is recommended that affected organizations implement network segmentation to block traffic to the specified subnet and maintain tighter controls to mitigate the risk of information leakage. Focusing on potential tactics within the MITRE ATT&CK framework, such as initial access and persistence, could provide useful context for understanding the attack vectors related to these vulnerabilities.
(Note: The article has been updated following Claroty’s analysis.)
