The U.S. Cybersecurity and Infrastructure Safety Company (CISA) and the Meals and Drug Administration (FDA) have issued alerts concerning the presence of hidden performance in Contec CMS8000 affected person screens and Epsimed MN-120 affected person screens.
The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 rating of seven.7 on a scale of 10.0. The flaw, alongside two different points, was reported to CISA by an nameless exterior researcher.
“The affected product sends out distant entry requests to a hard-coded IP tackle, bypassing present system community settings to take action,” CISA mentioned in an advisory. “This might function a backdoor and result in a malicious actor with the ability to add and overwrite recordsdata on the system.”
“The reverse backdoor supplies automated connectivity to a hard-coded IP tackle from the Contec CMS8000 units, permitting the system to obtain and execute unverified distant recordsdata. Publicly out there information present that the IP tackle shouldn’t be related to a medical system producer or medical facility however a third-party college.”
Two different recognized vulnerabilities within the units are listed under –
- CVE-2024-12248 (CVSS v4 rating: 9.3) – An out-of-bounds write vulnerability that would enable an attacker to ship specifically formatted UDP requests with a view to write arbitrary information, leading to distant code execution
- CVE-2025-0683 (CVSS v4 rating: 8.2) – A privateness leakage vulnerability that causes plain-text affected person information to be transmitted to a hard-coded public IP tackle when the affected person is hooked up to the monitor
Profitable exploitation of CVE-2025-0683 may enable the system with that unspecified IP tackle to achieve entry to confidential affected person data or open the door to an adversary-in-the-middle (AitM) state of affairs.
The security holes have an effect on the next merchandise –
- CMS8000 Affected person Monitor: Firmware model smart3250-2.6.27-wlan2.1.7.cramfs
- CMS8000 Affected person Monitor: Firmware model CMS7.820.075.08/0.74(0.75)
- CMS8000 Affected person Monitor: Firmware model CMS7.820.120.01/0.93(0.95)
- CMS8000 Affected person Monitor: All variations (CVE-2025-0626 and CVE-2025-0683)
“These cybersecurity vulnerabilities can enable unauthorized actors to bypass cybersecurity controls, getting access to and doubtlessly manipulating the system,” the FDA mentioned, including it is “not conscious of any cybersecurity incidents, accidents, or deaths associated to those cybersecurity vulnerabilities presently.”
On condition that these vulnerabilities stay unpatched, CISA is recommending that organizations unplug and take away any Contec CMS8000 units from their networks. It is value noting that the units are additionally re-labeled and bought underneath the identify Epsimed MN-120.
It is also suggested to test the affected person screens for any indicators of surprising functioning, reminiscent of “inconsistencies between the displayed affected person vitals and the affected person’s precise bodily state.”
CMS8000 Affected person Monitor is manufactured by Contec Medical Programs, a developer of medical units which can be positioned in Qinhuangdao, China. On its web site, the corporate claims its merchandise are FDA-approved and distributed to over 130 nations and areas.
