The Cybersecurity and Infrastructure Security Agency (CISA) has issued a medical advisory, ICSMA-25-030-01, on January 30, 2025, highlighting multiple critical vulnerabilities in Contec Health’s CMS8000 Patient Monitor.
These flaws, which can be exploited remotely, have been assigned high Common Vulnerability Scoring System (CVSS) scores, reflecting their significant severity.
Overview of Vulnerabilities
The vulnerabilities identified in the CMS8000 Patient Monitor include an out-of-bounds write, hidden functionality/backdoor access, and privacy leakage.
These issues collectively pose severe risks, including the possibility of remote code execution and the exposure of sensitive patient data to unauthorized entities.
According to researchers, these vulnerabilities could allow attackers to connect to unknown external networks, send specially formatted UDP requests, and exploit the device’s functionality to access patient information or execute arbitrary code.
The out-of-bounds write vulnerability (CWE-787), tracked as CVE-2024-12248, enables remote attackers to send maliciously crafted UDP requests to execute arbitrary code.
The issue has been rated with a CVSS v4 base score of 9.3. Similarly, the hidden functionality/backdoor flaw (CWE-912), identified as CVE-2025-0626, involves the device sending remote access requests to a hard-coded IP address, bypassing network configurations.
This vulnerability has a CVSS v4 base score of 7.7. Moreover, the privacy leakage flaw (CWE-359), CVE-2025-0683, broadcasts plain-text patient data to a public IP address, potentially allowing unauthorized access to confidential information.
Global Impact
The CMS8000 Patient Monitor, widely deployed in healthcare facilities globally, is critical for patient monitoring and care.
However, its vulnerabilities could be exploited for simultaneous attacks across multiple devices on shared networks, escalating the risk of systemic failures.
The U.S. Food and Drug Administration (FDA) has also issued a safety communication concerning these vulnerabilities.
Contec Health, headquartered in China, has not yet provided details about available patches or updates to mitigate these issues, raising concerns about the immediate security of the affected devices.
CISA strongly advises healthcare providers to remove all CMS8000 devices from their networks to prevent exploitation.
Additional recommendations include isolating medical devices from broader network environments by placing them on dedicated low-privilege subnets, using firewalls to block unauthorized access, and ensuring medical systems are not exposed to the internet.
Organizations are also urged to collaborate with trusted manufacturers for safety-critical systems and conduct impact assessments before implementing any defensive measures.
CISA has published technical guidelines and strategies for mitigating cybersecurity risks in industrial control systems (ICS) on its website.
While no public exploitation of these vulnerabilities has been reported to date, healthcare institutions and organizations using Contec Health’s CMS8000 Patient Monitor must act swiftly.
Immediate defensive measures are essential to protect patient safety and prevent potential data breaches or cyberattacks on critical healthcare infrastructure.
%20has%20issued%20a%20medical%20advisory,%20ICSMA-25-030-01,%20on%20January%2030,%202025.){kind=link}