Patient monitors with backdoor are sending info to China, CISA warns
Contec CMS8000, a patient monitor manufactured by a Chinese company, and Epsimed MN-120, which is the same monitor but relabeled, exfiltrate patients’ data to a hard-coded IP address and have a backdoor that can be used to download and execute unverified files, the US Cybersecurity and Infrastructure Security Agency confirmed.
“CISA assesses the inclusion of this backdoor in the firmware of the monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration. This introduces risk to patient safety as a malfunctioning monitor could lead to improper responses to vital signs displayed by the device.”
A backdoor in the vulnerable Contec patient monitor
Contec CMS8000 is a device for monitoring human vital signs and is widely used in healthcare organizations and settings (e.g., for monitoring patients in their home) in the US and the European Union.
It is manufactured by Contec Medical Systems, which is headquartered in Qinhuangdao, China.
After getting tipped off on the monitor’s unexpected functions by an unnamed external researcher, CISA analyzed three versions of its firmware, and found three vulnerabilities:
- A reverse backdoor (CVE-2025-0626) that provides automated connectivity to a hard-coded IP address and many allow malicious actors to upload and overwrite files on the device
- An out-of-bounds write flaw (CVE-2024-12248) that could allow attackers to send specially formatted UDP requests to the device to write arbitrary data and, thus, may allow them to remotely execute potentially malicious code
- A vulnerability (CVE-2025-0683) that results in plain-text patient data (personal and health information) and monitor sensor data being gathered and sent to the hard-coded public IP address when a patient is hooked up to the monitor.
Decoded patient data binary (Source: CISA)
“Publicly available records show that the IP address is not associated with a medical device manufacturer or medical facility but a third-party university,” CISA noted.
According to Bleeping Computer, the IP address belongs to a Chinese university, and is also hard-coded in software for other medical equipment made in China by a Chinese manufacturer.
CISA says that the discovered backdoor is “very unlikely to be an alternative update mechanism.”
“The function provides neither an integrity-checking mechanism nor version tracking of updates. When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device. These types of actions and the lack of critical log auditing data go against generally accepted practices and ignore essential components for properly managed system updates, especially for medical devices,” the agency explained.
Additional details about the technical implementation of the backdoor are laid out in this document.
What to do?
The US Food and Drug Administration (FDA) says that they are “not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time.”
The agency also pointed out that “the vulnerabilities could allow all vulnerable Contec and Epsimed patient monitors on a given network to be exploited at the same time.”
Given that there is currently no patch for these flaws, the FDA advised healthcare providers to be on the lookout for signs of unusual functioning and to switch off remote monitoring features (by unplugging the device’s ethernet cable and disabling wireless capabilities) if they are not needed.
If these features cannot be disabled, healthcare organizations, patients and caregivers are advised to stop using the monitor and find / ask for an alternative patient monitor.