The U.S. Cybersecurity and Infrastructure Safety Company (CISA) and the Meals and Drug Administration (FDA) have issued alerts concerning the presence of hidden performance in Contec CMS8000 affected person screens and Epsimed MN-120 affected person screens.
The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 rating of seven.7 on a scale of 10.0. The flaw, alongside two different points, was reported to CISA by an nameless exterior researcher.
“The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so,” CISA stated in an advisory. “This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device.”
“The reverse backdoor provides automated connectivity to a hard-coded IP address from the Contec CMS8000 devices, allowing the device to download and execute unverified remote files. Publicly available records show that the IP address is not associated with a medical device manufacturer or medical facility but a third-party university.”
Two different recognized vulnerabilities within the gadgets are listed beneath –
- CVE-2024-12248 (CVSS v4 rating: 9.3) – An out-of-bounds write vulnerability that might permit an attacker to ship specifically formatted UDP requests with a view to write arbitrary knowledge, leading to distant code execution
- CVE-2025-0683 (CVSS v4 rating: 8.2) – A privateness leakage vulnerability that causes plain-text affected person knowledge to be transmitted to a hard-coded public IP deal with when the affected person is hooked up to the monitor
Profitable exploitation of CVE-2025-0683 might permit the machine with that unspecified IP deal with to realize entry to confidential affected person data or open the door to an adversary-in-the-middle (AitM) state of affairs.
The safety holes have an effect on the next merchandise –
- CMS8000 Affected person Monitor: Firmware model smart3250-2.6.27-wlan2.1.7.cramfs
- CMS8000 Affected person Monitor: Firmware model CMS7.820.075.08/0.74(0.75)
- CMS8000 Affected person Monitor: Firmware model CMS7.820.120.01/0.93(0.95)
- CMS8000 Affected person Monitor: All variations (CVE-2025-0626 and CVE-2025-0683)
“These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device,” the FDA stated, including it is “not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time.”
Provided that these vulnerabilities stay unpatched, CISA is recommending that organizations unplug and take away any Contec CMS8000 gadgets from their networks. It is price noting that the gadgets are additionally re-labeled and bought below the identify Epsimed MN-120.
It is also suggested to test the affected person screens for any indicators of surprising functioning, akin to “inconsistencies between the displayed patient vitals and the patient’s actual physical state.”
CMS8000 Affected person Monitor is manufactured by Contec Medical Techniques, a developer of medical gadgets which can be positioned in Qinhuangdao, China. On its web site, the corporate claims its merchandise are FDA-approved and distributed to over 130 international locations and areas.
