The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of hidden functionality in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors.
The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 score of 7.7 on a scale of 10.0. The flaw, alongside two other issues, was reported to CISA by an anonymous external researcher.
“The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so,” CISA said in an advisory. “This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device.”
“The reverse backdoor provides automated connectivity to a hard-coded IP address from the Contec CMS8000 devices, allowing the device to download and execute unverified remote files. Publicly available records show that the IP address is not associated with a medical device manufacturer or medical facility but a third-party university.”
Two other identified vulnerabilities in the devices are listed below –
- CVE-2024-12248 (CVSS v4 score: 9.3) – An out-of-bounds write vulnerability that could allow an attacker to send specially formatted UDP requests in order to write arbitrary data, resulting in remote code execution
- CVE-2025-0683 (CVSS v4 score: 8.2) – A privacy leakage vulnerability that causes plain-text patient data to be transmitted to a hard-coded public IP address when the patient is attached to the monitor
Successful exploitation of CVE-2025-0683 could allow the device with that unspecified IP address to gain access to confidential patient information or open the door to an adversary-in-the-middle (AitM) scenario.
The security holes affect the following products –
- CMS8000 Patient Monitor: Firmware version smart3250-2.6.27-wlan2.1.7.cramfs
- CMS8000 Patient Monitor: Firmware version CMS7.820.075.08/0.74(0.75)
- CMS8000 Patient Monitor: Firmware version CMS7.820.120.01/0.93(0.95)
- CMS8000 Patient Monitor: All versions (CVE-2025-0626 and CVE-2025-0683)
“These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device,” the FDA said, adding it’s “not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time.”
Given that these vulnerabilities remain unpatched, CISA is recommending that organizations unplug and remove any Contec CMS8000 devices from their networks. It’s worth noting that the devices are also re-labeled and sold under the name Epsimed MN-120.
It’s also advised to check the patient monitors for any signs of unusual functioning, such as “inconsistencies between the displayed patient vitals and the patient’s actual physical state.”
CMS8000 Patient Monitor is manufactured by Contec Medical Systems, a developer of medical devices that are located in Qinhuangdao, China. On its website, the company claims its products are FDA-approved and distributed to over 130 countries and regions.
