 [German]The US cyber security authority CISA warns of a backdoor in the Contec CMS8000 patient monitor system from a Chinese manufacturer. A backdoor has been discovered in various firmware versions that enables data transmission and remote access. The devices should be isolated from the Internet or taken out of service immediately.
[German]The US cyber security authority CISA warns of a backdoor in the Contec CMS8000 patient monitor system from a Chinese manufacturer. A backdoor has been discovered in various firmware versions that enables data transmission and remote access. The devices should be isolated from the Internet or taken out of service immediately.
Contec CMS8000 patient monitor system
According to CISA, the Contec CMS8000 is used in medical facilities in the USA and the European Union for continuous monitoring of a patient's vital signs. The Contec CMS8000 is sometimes relabeled and offered by resellers under a different name. Examples of relabeled devices include the Epsimed MN-120.
The CISA warning
The US authority CISA (Cybersecurity and Infrastructure Agency) has now issued a warning entitled Contec CMS8000 Contains a Backdoor v against the patient monitor system Contec CMS8000 for the USA.
Security experts have analyzed the firmware of the Contec CMS8000 patient monitor and discovered an embedded backdoor that enables communication with a hardcoded IP address. The vulnerability CVE-2025-0683 poses a risk to patient safety, writes CISA. There is a possibility that the patient monitor does not respond correctly to the patient's vital signs and that the patient's personal information is leaked.
CISA concludes that the existing backdoor into the patient monitor firmware may create conditions that allow remote code execution and modification of the device. This creates the ability to change the configuration of the device, allowing patient safety to be compromised, as an improperly functioning patient monitor could result in an inappropriate response to the patient's vital signs, CISA concludes. A CISA fact sheet can be found here.
There are two vulnerabilities (CVE-2025-0626 und CVE-2025-0683). In addition to direct communication with a fixed IP address, the patient monitor also transmits the data in plain text to the hardcoded IP address. Bleeping Computer had also picked it up here.
FDA recommendations
The Food and Drugs Administration (FDA) has pointed out in this warning that the backdoor was found in three firmware versions and lists the risks. The FDA writes that users of the devices should clarify with the technically responsible persons whether the devices have remote monitoring functions. Remote monitoring means that the device uses an Internet connection to allow a healthcare provider to assess the patient's vital signs from another location (e.g., a remote monitoring system or a centralized monitoring system).
If the healthcare provider confirms that the device has remote monitoring capabilities, the patient monitor should be taken out of service and an alternative monitoring system should be used.
If the Contec CMS8000 patient monitor is not dependent on remote monitoring functions, only the local monitoring functions may be used; internet connections must be cut. This means that the Ethernet cable of the device must be disconnected and the wireless (i.e. WiFi or mobile phone) functions must be deactivated. This is to ensure that the patient's vital signs can only be monitored by a caregiver in the presence of the patient.
If the wireless functions cannot be deactivated, the device must be deactivated (pull the plug out of the socket) and may no longer be used.
 
			



