Hidden Backdoor in Hospital Patient Monitors Sparks Urgent FDA Security Alert

Hidden Backdoor in Hospital Patient Monitors Sparks Urgent FDA Security Alert

Critical Security Flaws Discovered in Medical Patient Monitors

CISA and FDA have issued urgent alerts regarding hidden backdoor functionality in Contec CMS8000 and Epsimed MN-120 patient monitors. Three significant vulnerabilities have been identified, with the primary concern (CVE-2025-0626) receiving a CVSS v4 score of 7.7.

Key Vulnerabilities:
1. Remote Access Backdoor (CVE-2025-0626)
– Enables unauthorized connectivity to a hard-coded IP address
– Allows download and execution of unverified files
– IP address linked to third-party university

2. Code Execution Flaw (CVE-2024-12248)
– CVSS v4 score: 9.3
– Permits arbitrary data writing through UDP requests
– Enables remote code execution

3. Privacy Breach (CVE-2025-0683)
– CVSS v4 score: 8.2
– Transmits unencrypted patient data to public IP address
– Potential for man-in-the-middle attacks

Affected Devices:
– CMS8000 Patient Monitor (Multiple firmware versions)
– Epsimed MN-120 (rebranded version)

Recommended Actions:
– Immediate disconnection of affected devices from networks
– Regular monitoring for unusual device behavior
– Verification of displayed vital signs against patient’s condition

While no incidents have been reported, CISA strongly advises healthcare facilities to remove these devices from service until patches are available. The manufacturer, Contec Medical Systems from China, claims FDA approval and distributes to over 130 countries.

Share This Article