Natali_Mis/istock via Getty Imag

News

CISA, FDA warn of backdoor in Contec patient monitors

CISA and the FDA alerted the sector to vulnerabilities in Epsimed and Contec patient monitors that could enable cyberthreat actors to remotely control the devices.

Jill McKeon
By
Published: 03 Feb 2025

The FDA issued an alert regarding several cybersecurity vulnerabilities in Contec patient monitors, which could allow cyberthreat actors to bypass security controls, cause the device to crash or take over the device remotely. Chinese company Contec Medical Systems manufactures the affected patient monitors, which are used to monitor vital signs.

The vulnerabilities affect Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors. Epsimed MN-120 devices are simply Contec CMS8000 patient monitors that were relabeled as MN-120.

The Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory and fact sheet on the vulnerabilities and hidden backdoor. Both the FDA and CISA recommended that users remove any Contec CMS8000 devices from their networks immediately.

Technical details

CISA and the FDA warned patients and healthcare organizations of three vulnerabilities connected to these Contec and Epsimed devices. An anonymous researcher reported the vulnerabilities to CISA.

One of the vulnerabilities, known as CVE-2025-0683, might enable patient data leakage. Researchers found that the product transmits plain-text patient data to a hard-coded public IP address in its default configuration. As a result, confidential patient data could be leaked to any device with that IP address.

According to the FDA, CISA determined that "once the patient monitor is connected to the internet, it begins gathering and exfiltrating (withdrawing) patient data outside of the health care delivery environment, including when the device is used in a home setting."

The patient monitors also contain a backdoor, known as CVE-2025-0626, in which the product bypasses device network settings while sending out remote access requests to a hard-coded IP address. This means that a cyberthreat actor could manipulate the device and compromise the network that the device is connected to.

"The vulnerabilities could allow all vulnerable Contec and Epsimed patient monitors on a given network to be exploited at the same time," the FDA stated.

Finally, a vulnerability known as CVE-2024-12248 shows that the product is vulnerable to an out-of-bounds write, allowing cyberthreat actors to send specially formatted UDP requests to write arbitrary data. This vulnerability could enable remote code execution.

The FDA said that it is not aware of any cybersecurity incidents or injuries related to these cybersecurity vulnerabilities.

How healthcare professionals can mitigate risk

The FDA recommended that healthcare staff only use the local monitoring features of the device. If the patient monitor relies on remote monitoring features, the FDA recommends unplugging the device altogether.

Otherwise, users should unplug the device's ethernet cable and disable wireless capabilities.

Providers should work with healthcare facility staff to determine if a patient's patient monitor might be affected. The FDA also advised providers to monitor the devices for any signs of unusual functioning, such as inconsistencies with the patient's state and the data displayed on the device.

CISA recommended that users take defensive measures to reduce risk, including locating control system networks and remote devices behind firewalls and only using trusted manufacturers for critical systems.

Currently, there are no patches available to fix these vulnerabilities.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on Health data threats