Critical vulnerabilities in Contec’s CMS8000 patient monitors are causing unauthorized data exfiltration, prompting urgent warnings from the FDA and CISA.
Key Points at a Glance:
- Contec’s CMS8000 patient monitors are found to have multiple severe vulnerabilities.
- These flaws allow unauthorized access and data exfiltration of patient information.
- The FDA and CISA advise immediate disconnection of these devices from the internet.
- No known incidents have occurred yet, but the risk of exploitation remains high.
Discovery of Critical Vulnerabilities
The United States Food and Drug Administration (FDA) has issued an urgent advisory concerning the Contec CMS8000 patient monitors, also marketed as the Epsimed MN-120. These devices contain three significant vulnerabilities:
- CVE-2024-12248 (CVSS 9.3): Allows remote code execution.
- CVE-2025-0626 (CVSS 7.5): Enables attackers to crash the device.
- CVE-2025-0683 (CVSS 5.9): Facilitates unauthorized data exfiltration.
The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted that these vulnerabilities could permit attackers to remotely execute code, cause device failures, and, most concerningly, extract patient information without authorization.
Unauthorized Data Exfiltration
Once connected to the internet, the CMS8000 monitors begin collecting patient data, including personally identifiable information (PII) and protected health information (PHI). This data is then transmitted outside the healthcare environment without consent, posing significant privacy risks.
Immediate Recommendations
In response to these findings, the FDA strongly recommends that healthcare providers and caregivers:
- Disconnect the CMS8000 devices from the internet immediately.
- Disable the devices’ Wi-Fi capabilities.
- Cease using these monitors for remote patient monitoring.
While there have been no reported cybersecurity incidents related to these devices so far, the potential for exploitation is substantial. Connected devices could be compromised, allowing attackers to move laterally within a network, leading to further security breaches.
Concealment of Malicious Activity
CISA has noted that the backdoor present in these devices is not associated with remote software updates but appears solely focused on data harvesting. The backdoor lacks integrity-checking mechanisms and version tracking, enabling it to overwrite files on the device without the end user’s knowledge. This design effectively hides its presence from hospitals and their information security teams, complicating detection and response efforts.
The FDA and CISA have identified that these devices are manufactured in China and send data to a third-party university. While specific details about the recipient institution have not been disclosed, other reports suggest that the university is located in China.
Healthcare providers utilizing Contec’s CMS8000 patient monitors must take immediate action to mitigate these critical vulnerabilities. Disconnecting the devices from the internet and discontinuing their use for remote monitoring are essential steps to protect patient data and maintain the integrity of healthcare networks.
