Contec Health discovered a remote code execution vulnerability along with a hidden backdoor in the software of its popular patient monitors, the Epsimed MN-120 patient monitors and Contec CMS8000 patient monitors. Cybersecurity and Infrastructure Security Agency (CISA) tested the backdoor and confirmed that patient data is being sent to a hard-coded IP address.
Chinese healthcare technology firm Contec Health supplies patient monitoring systems, lab instruments, and diagnostic equipment. Healthcare institutions in Europe and the United States widely use these products. After being notified about firmware problems by an unknown researcher, CISA explored and confirmed the presence of three vulnerabilities in several software versions, which include a backdoor that quietly sends patient data, including PHI, in plain text to an external hard-coded IP address.
All versions of the Epsimed MN-120 Patient Monitor and Contec Health CMS8000 Patient Monitor were found to have the backdoor. With the standard settings, the monitors transfer patient information to a public IP address when connected to a patient. Any equipment with a hard-coded IP address will accept patient information, and because patient data is sent in plain text, it can be intercepted by a machine-in-the-middle attack. Sent patient information includes the physician’s name, patient’s name, patient ID, patient’s birthdate, and monitoring data. Data transmission begins anytime the patient monitors have an internet connection.
The hidden backdoor transmits requests for remote access from the hard-coded IP address, circumventing device system configurations. With the backdoor, a malicious actor can upload and overwrite information on the device. The vulnerability CVE-2025-0626 has an assigned CVSS base score of 7.5. The vulnerability CVE-2025-0683 discloses personal data and has an assigned CVSS base score of 5.9.
The critical vulnerability CVE-2024-12248 found in three software versions can bring about remote code execution. It has an assigned CVSS base score of 9.8. The out-of-bounds write vulnerability enables an attacker to transmit formatted UDP requests and create arbitrary information, which could result in remote code execution enabling an attacker to manipulate the devices. The following software versions are affected by this vulnerability:
CMS8000 Patient Monitor: Firmware version CMS7.820.120.01/0.93(0.95)
CMS8000 Patient Monitor: Firmware version CMS7.820.075.08/0.74(0.75)
CMS8000 Patient Monitor: Firmware version smart3250-2.6.27-wlan2.1.7.cramfs
CISA states that the vulnerabilities can be exploited on all vulnerable devices on a shared system. The vulnerabilities permit an unauthorized actor to manipulate the patient monitors remotely and get patient information. Having the backdoor in vulnerable patient monitors could easily result in a system breach. CISA stated that the IP address isn’t connected with Contec Health and has tracked the IP address to a university or college. Bleeping Computer determined the IP address and stated it is related to a Chinese university, and reports that the backdoor is likewise found in healthcare equipment from various Chinese healthcare providers, which include a pregnancy patient monitor.
The U.S. Food and Drug Administration (FDA) and CISA and have given warnings concerning the vulnerabilities. Prompt action is needed to address the vulnerabilities. Vulnerable devices must be disconnected from the web and only use local tracking functions of the device until Contec Health releases a firmware update. At present, the software patch for mitigating the vulnerabilities is not yet available.
Here are FDA’s Safety Recommendations:
If your patient monitor depends on remote monitoring functions, disconnect the device and do not use it.
If your device doesn’t depend on remote monitoring functions, disconnect the device’s internet connectivity and deactivate wireless functions. If you could not deactivate the wireless functions, using the device will open the device to the backdoor and possibly loss patient data.
Healthcare facility personnel were cautioned to check for uncommon factoring, like disparity between the exhibited patient vitals and a his physical body.