The Cybersecurity and Infrastructure Security Agency (CISA) analyzed three versions of firmware for the Contec CMS8000, a patient monitor used by the Healthcare and Public Health sector, and discovered an embedded backdoor function with a hard-coded IP address, CWE – 912: Hidden Functionality (CVE-20250626), and functionality that enables patient data spillage, CWE – 359: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2025-0683), exists in all firmware versions CISA analyzed. The Contec patient monitor CMS8000 (see Figure 1) is used in healthcare settings to monitor human vital signs.
CISA assesses the inclusion of this backdoor in the firmware of the monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration. This introduces risk to patient safety as a malfunctioning monitor could lead to improper responses to vital signs displayed by the device. Please note the Contec CMS8000 may be re-labeled and sold by resellers. For a list of known re-labeled devices, please refer to FDA’s safety communication, Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication. Affected Device and Firmware Description Figure 1: Contec CMS8000 Contec Medical Systems is a global medical device and healthcare solutions company headquartered in China. The company’s medical equipment is used in hospitals, clinics, and home healthcare environments in the European Union and the United States. This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol, see cisa.gov/tlp.
The company’s affected device, the Contec CMS8000, is used in medical settings to provide continuous monitoring of a patient’s vital signs. The device tracks electrocardiogram, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate. Following reporting of a vulnerability by an external researcher as part of CISA’s Coordinated Vulnerability Disclosure Process, the CISA research team tested three Contec firmware packages—(1) Version 2.0.6, (2) a pre-release image with no known version number, and (3) a pre-release image of Version 2.0.8—to validate mitigation of the identified vulnerability. During this validation, the research team investigated anomalous network traffic that a security researcher provided to the team as part of vulnerability reporting. The research team then discovered what resembles a reverse backdoor within all three of the firmware packages. The reverse backdoor provides automated connectivity to a hard-coded IP address from the Contec CMS8000 devices, allowing the device to download and execute unverified remote files. Publicly available records show that the IP address is not associated with a medical device manufacturer or medical facility but a third-party university. By reviewing the firmware code, the team determined that the functionality is very unlikely to be an alternative update mechanism, exhibiting highly unusual characteristics that do not support the implementation of a traditional update feature. For example, the function provides neither an integritychecking mechanism nor version tracking of updates. When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device. These types of actions and the lack of critical log/auditing data go against generally accepted practices and ignore essential components for properly managed system updates, especially for medical devices.
