The cybersecurity agency CISA and the FDA have urged healthcare organizations in the United States to remove any Contec CMS8000 patient monitors from their environments, due to remote code execution and device tampering risks.

Manufactured by Chinese company Contec Medical Systems, the device is used in the US and the European Union to monitor patients’ vital signs, including heart rate, blood oxygen saturation, blood pressure, and more.

Contec CMS8000, CISA says, contains a backdoor function in its firmware that could allow attackers to upload and overwrite files on the device, bypassing existing device network settings.

“The reverse backdoor provides automated connectivity to a hard-coded IP address from the Contec CMS8000 devices, allowing the device to download and execute unverified remote files. Publicly available records show that the IP address is not associated with a medical device manufacturer or medical facility but a third-party university,” CISA notes in a fact sheet (PDF).

Tracked as CVE-2025-0626 (CVSS score of 7.7), this security defect would allow remote attackers to execute arbitrary code on the device and modify its configuration, the agency warns.

“This introduces risk to patient safety as a malfunctioning patient monitor could lead to an improper response to patient vital signs,” CISA says.

The issue was identified in three firmware iterations for the Contec CMS8000 monitor, which may be re-labeled and sold by resellers, the agency warns. One example is the Epsimed MN-120 monitor, the FDA says.

When connected to the internet, the patient monitors harvest and exfiltrate both personally identifiable information (PII) and protected health information (PHI), the FDA says, warning that any network to which these devices have been connected may have been compromised.

The analyzed Contec CMS8000 firmware versions also contain an information exposure flaw, where the device “transmits plain-text patient data to a hard-coded public IP address when a patient is hooked up to the monitor”, CISA also says.

Tracked as CVE-2025-0683 (CVSS score of 5.9), the issue could lead to the leakage of patient information and sensor data to the hardcoded IP address or to attackers in a machine-in-the-middle scenario.

A third vulnerability in the device, tracked as CVE-2024-12248 (CVSS score of 9.3), is described as an out-of-bounds write that could allow remote attackers to send special requests and write arbitrary data on the monitor, which could lead to remote code execution.

To mitigate these issues, healthcare providers are advised to check whether their Contec CMS8000 and Epsimed MN-120 monitors run a vulnerable firmware iteration and disconnect them from the internet if they do. CISA recommends that all Contec CMS8000 devices be removed from users’ networks.

“If your device does not rely on remote monitoring features, unplug the device’s ethernet cable and disable wireless (that is, WiFi or cellular) capabilities. If you cannot disable the wireless capabilities, then continuing to use the device will expose the device to the backdoor and possible continued patient data exfiltration,” the FDA notes.

The FDA warns that no software patch is available for any of these vulnerabilities, but says that it is not aware of any cybersecurity incidents, injuries, or deaths related to them.

These are not the only flaws in Contec CMS8000 that could provide remote attackers with access to vulnerable devices. In 2022, CISA warned of five other security defects in the same firmware iterations, including remotely exploitable bugs.

“Successful exploitation of these vulnerabilities could allow a threat actor to cause a denial-of-service condition, modify firmware with physical access to the device, access a root shell, or employ hard-coded credentials to make configuration changes,” the agency notes in an updated advisory.

Related: Cyberspies Target Air-Gapped Systems at European Government Organization

Related: Spy v Spy: Russian APT Turla Caught Stealing From Pakistani APT

Related: Stealthy RotaJakiro Backdoor Targeting Linux Systems

Related: “Inception Attackers” Combine Old Exploit and New Backdoor