Potential Backdoor Embedded in Contec Health CMS8000 Patient Monitor Firmware

CISA has found evidence of Contec CMS8000 and re-labelled Epsimed MN-120 devices beaconing to a public IP address

Threat ID:: CC-4612
Threat Severity:: Medium
Published:: 31 January 2025 2:34 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CISA has found evidence of Contec CMS8000 and re-labelled Epsimed MN-120 devices beaconing to a public IP address

Affected platforms

The following platforms are known to be affected:

Versions: all versions

Contec CMS8000 Patient Monitor

Versions: all versions

Epsimed MN-120 Patient Monitor

Threat details

Re-labelled Contec CMS8000 devices

Comtec CMS8000 devices can also be re-labelled and sold by resellers. U.S. authorities have identified that Epsimed MN-120 patient monitors are re-labelled Comtec CMS8000 devices and are also affected.

Introduction

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a medical product advisory for the Contec Health CMS8000 Patient Monitor to address one critical and three high severity vulnerabilities. The Contec CMS8000 is a patient monitor used to display real-time information such as the vital signs of a patient, including temperature, heartbeat, and blood pressure. Additionally, the CMS8000 includes remote monitoring features, which use an internet connection to allow a healthcare provider to evaluate patient vital signs from another location.

CISA and the U.S. Food and Drug Administration (FDA) have advised that all versions of the CMS8000 firmware potentially contain a backdoor and are vulnerable to remote code execution (RCE).

Embedded backdoor function in Contec CMS8000 firmware

CISA is advising that all versions of the CMS8000 firmware contain a backdoor to a hardcoded public IP address. Confidential patient data may be exfiltrated by an attacker using this backdoor.

Vulnerability details

CVE-2024-12248 is an 'out-of-bounds write' vulnerability with a CVSSv4 score of 9.3. If exploited, a remote unauthenticated attacker could send a specially-formatted UDP request to write arbitrary data, potentially resulting in RCE.
CVE-2025-0626 is a 'hidden functionality' vulnerability with a CVSSv4 score of 7.7. The CMS8000 device sends out remote access requests to a hard-coded IP address, bypassing existing device network settings. These requests could serve as a backdoor and lead to an attacker being able to upload and overwrite files on the device.
CVE-2025-0683 is an 'exposure of private personal information to an unauthorised actor' vulnerability with a CVSSv4 score of 8.2. In its default configuration, the CMS8000 device transmits plain-text patient data to a hard-coded public IP address when a patient is connected to the monitor. Confidential patient data could be leaked to any device with that IP address or an attacker in an adversary-in-the-middle scenario.
CVE-2025-1204 is a 'hidden functionality' vulnerability with a CVSSv4 score of 7.7. When pressing a certain button during the device's start-up process, the 'update' binary of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. If an attacker were able to impersonate or control this IP address they could upload and overwrite files on the device.

Threat updates

Date	Update
26 Feb 2025	Cyber Alert updated to include CVE-2025-1204

Remediation advice

Affected organisations are strongly encouraged to review CISA advisory ICSMA-25-030-01 and follow the mitigations recommended below.

Check if any affected devices rely on remote monitoring features. Remote monitoring means the device uses an internet connection to allow a healthcare provider to evaluate patient vital signs from another location (such as a remote monitoring system or central monitoring system).
If an affected device does not rely on remote monitoring features, use only the local monitoring features of the patient monitor. This step means unplugging the device’s ethernet cable and disabling any wireless capabilities (WiFi or cellular), so that patient vital signs are only observed by a caregiver or healthcare provider in the physical presence of a patient.
If an affected device relies on remote monitoring features, or you cannot disable the wireless capabilities, unplug the device and stop using it. Consider finding an alternative patient monitor.

Any actions taken by affected organisations should be conducted in accordance with local risk tolerances and subjected to a local risk assessment.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-12248

The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution.

Status Published

CVE-2025-0626

The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device.

Status Published

CVE-2025-0683

In its default configuration, the affected product transmits plain-text patient data to a hard-coded public IP address when a patient is hooked up to the monitor. This could lead to a leakage of confidential patient data to any device with that IP address or an attacker in a machine-in-the-middle scenario.

CVE-2025-1204

The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.

Last edited: 26 February 2025 11:33 am