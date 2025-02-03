The FDA issued an alert regarding several cybersecurity vulnerabilities in Contec patient monitors, which could allow cyberthreat actors to bypass security controls, cause the device to crash or take over the device remotely. Chinese company Contec Medical Systems manufactures the affected patient monitors, which are used to monitor vital signs.

The vulnerabilities affect Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors. Epsimed MN-120 devices are simply Contec CMS8000 patient monitors that were relabeled as MN-120.

The Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory and fact sheet on the vulnerabilities and hidden backdoor. Both the FDA and CISA recommended that users remove any Contec CMS8000 devices from their networks immediately.

Technical details CISA and the FDA warned patients and healthcare organizations of three vulnerabilities connected to these Contec and Epsimed devices. An anonymous researcher reported the vulnerabilities to CISA. One of the vulnerabilities, known as CVE-2025-0683, might enable patient data leakage. Researchers found that the product transmits plain-text patient data to a hard-coded public IP address in its default configuration. As a result, confidential patient data could be leaked to any device with that IP address. According to the FDA, CISA determined that "once the patient monitor is connected to the internet, it begins gathering and exfiltrating (withdrawing) patient data outside of the health care delivery environment, including when the device is used in a home setting." The patient monitors also contain a backdoor, known as CVE-2025-0626, in which the product bypasses device network settings while sending out remote access requests to a hard-coded IP address. This means that a cyberthreat actor could manipulate the device and compromise the network that the device is connected to. "The vulnerabilities could allow all vulnerable Contec and Epsimed patient monitors on a given network to be exploited at the same time," the FDA stated. Finally, a vulnerability known as CVE-2024-12248 shows that the product is vulnerable to an out-of-bounds write, allowing cyberthreat actors to send specially formatted UDP requests to write arbitrary data. This vulnerability could enable remote code execution. The FDA said that it is not aware of any cybersecurity incidents or injuries related to these cybersecurity vulnerabilities.