Vulnerability Management, Endpoint/Device Security, Privacy

Backdoor in Contec CMS8000 monitors may allow faulty patient readings

Close-up of stethoscope on a circuit board with blue lights, symbolizing the intersection of technology and healthcare for diagnostic solutions.

Over 340K impacted by separate US healthcare breaches. (Adobe Stock)

Editor's note: Researchers with Claroty's Team 82 published a report Feb. 2 say their investigation of the Contect CMS800 firmware leaves them to believe that the backdoor CISA and the FDA warned about in their advisory is instead an insecure/vulnerable design that introduces great risk to the patient monitor users and hospital networks.

The U.S. government warned Jan. 30 that a backdoor in the firmware of Contec CMS8000 patient monitors could allow for remote code execution that could let attackers alter configurations, introducing risk because a malfunctioning monitor could lead to an improper response to a patient’s vital signs.

In its advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA), explained that the devices contain a “hardcoded” credential backdoor that, if exploited, could compromise patient safety, disrupt hospital operations, and lead to regulatory repercussions for healthcare organizations.

The Contec CMS8000 devices, manufactured by China-based Contec Medical Systems, are used in medical settings in the United States and European Union to provide continuous monitoring of a patient’s vital signs. According to the FDA, there are three main concerns around these new cybersecurity vulnerabilities:

  • An unauthorized user could remotely control the patient monitor.
  • The firmware has a backdoor, potentially compromising the device or its connected network.
  • When connected to the internet, the patient monitor collects patient data, including PII and PHI, and sends it outside the healthcare environment.

Since there is no patch available, the FDA has told hospitals to unplug the Contec devices and stop using them, and to use only the local monitoring features on the patient monitor.

“The inclusion of a backdoor in a widely used patient monitoring system is particularly concerning, as it could lead to adverse patient outcomes due to compromised device functionality,” said Russell Teague, chief information security officer at Fortified Health Security. “The risks associated with these vulnerabilities extend beyond data privacy concerns to the very core of patient care and safety.”

Agnidipta Sarkar, vice president and CISO Advisory at ColorTokens, explained that the patient monitoring market is competitive, and smaller companies like Contec may have niche adoption — and therein lies the problem.

“Precise deployment numbers are not only elusive, but it’s also possible that the machines may have been rebranded and sold to outpatient clinics, ambulatory care centers, or home health settings rather than large hospitals,” said Sarkar. “There are only two mitigation options for hospitals. Remove the device or microsegment it so that it goes out of reach of unauthorized users.”

Tim Mackey, head of software supply chain risk strategy at Black Duck, added that for those unfamiliar with patient monitors, these are the devices that aggregate and display information about a patient whose condition is being monitored. Mackey said these devices are typically deployed in a healthcare facility, but they can also be used outside of a dedicated facility.

“When connected to a network, the information can be forwarded to a central clinician station rather than relying on alarm noises,” said Mackey. “For patients outside of a primary healthcare facility, remote networking could offer access to medical skills not otherwise locally available. Compromising such devices could directly impact patient care.”

Here's a rundown of the three main vulnerabilities based on information from CISA and the FDA:

CVE-2025-0626, CVSS 7.7: The affected devices sends out remote access requests to a hardcoded IP address, bypassing existing device network settings. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device.

CVE-2025-0683, CVSS 8.2: In its default configuration, the affected product transmits plain-text patient data to a hardcoded public IP address when a patient is hooked up to the monitor. This could lead to a leakage of confidential patient data to any device with that IP address or an attacker in a machine-in-the-middle scenario.

CVE-2024-12248, CVSS 9.3: The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution.

Related

How to prepare for an effective web application penetration test 

At a time when data breaches and cyberattacks dominate headlines, web application security is top on the minds of IT leaders. By performing regular web application pen tests, possible vulnerabilities can be uncovered and steps taken to fortify your defenses. In this post, we'll discuss the importance of preparing for a pen test, the items that should be on your pen test checklist, and how to foster close collaboration with your pen testing team. 

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AnonymizationAntivirus SoftwareAuthenticityBasic AuthenticationCertificate-Based AuthenticationDigest AuthenticationDiscretionary Access Control (DAC)Ephemeral PortFirmwareInference Attack

You can skip this ad in 5 seconds