Medical surveillance monitor: Backdoor discovered in Contec CMS8000

If attackers successfully exploit vulnerabilities in the Contec CMS8000 medical monitor, they can manipulate the display of vital signs, among other things. As far as we know at present, there is no security update. It is not yet clear when a patch will be released.

In addition to hospitals in the USA, medical facilities in Europe also use the vital status monitor. It is also used in Germany.

Security researchers from the US Cybersecurity & Infrastructure Security Agency (CISA) have discovered two security vulnerabilities (CVE-2025-0626"high", CVE-2025-0683"high"). The first vulnerability describes a backdoor in the form of a hardcoded IP address. Attackers can use this to gain unauthorized access. The second security problem is the unencrypted transmission of patient data to this IP address. Attackers can view this data.

Life-threatening situation possible

CISA states in a report that attackers may be able to execute malicious code and manipulate device data. This could lead to vital signs being displayed incorrectly, for example, so that critical health conditions in patients are not displayed or are displayed incorrectly.

The researchers state that they have analyzed several firmware versions. All of the versions they examined were vulnerable. Because other manufacturers of medical status monitors use identical hardware under a different name, it is highly likely that other models are also vulnerable. CISA provides further information on this in an additional article.

Act now!

There is currently no security patch available. If the surveillance monitor transmits signals via the Internet using the built-in WLAN module, admins should no longer use the device for security reasons until an update is released. If there is no external connection and access to vital data is only possible locally, the risk of attack is reduced.

(des)