The Cybersecurity and Infrastructure Security Agency (CISA) has identified a backdoor in the firmware of Contec CMS8000 patient monitors, devices widely used in healthcare settings to monitor vital signs such as heart rate, blood pressure, and oxygen saturation. The backdoor, which includes a hard-coded IP address, could allow unauthorized remote code execution and patient data exfiltration, posing significant risks to patient safety and privacy. The vulnerabilities, identified as CVE-2025-0626 and CVE-2025-0683, affect all firmware versions analyzed by CISA, including versions 2.0.6 and 2.0.8.
The discovery of this backdoor raises serious concerns about the security of medical devices and the potential impact on patient safety. If exploited, the vulnerabilities could allow attackers to alter device configurations, leading to incorrect readings and improper medical responses. Additionally, the backdoor enables the unauthorized transmission of sensitive patient data to an external IP address, exposing patients to significant privacy risks.
In addition to the backdoor, CISA identified a separate vulnerability that allows patient data to be transmitted to the same hard-coded IP address linked to a third-party university instead of a medical facility. During testing, the research team observed the CMS8000 streaming sensitive patient information, including vital signs and sensor data, to the external IP address via port 515.
A type of software embedded into hardware devices, such as medical monitors, to control their functionality. It acts as the operating system for the device, managing how it operates and interacts with other systems.
A fixed, pre-programmed address embedded into a device’s software.
Remote code execution (RCE) is a vulnerability that allows an attacker to run malicious code on a device from a remote location.