Critical Security Vulnerabilities Found in Contec Patient Monitors: Urgent Action Required

Urgent Cybersecurity Alerts Issued for Contec Patient Monitors

By Ravie Lakshmanan | Jan 31, 2025

In a significant cybersecurity warning, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have raised alarms regarding critical vulnerabilities found in Contec CMS8000 and Epsimed MN-120 patient monitors. Identified as CVE-2025-0626, this flaw has been assigned a high severity score of 7.7 out of 10 on the CVSS v4 scale.

According to CISA’s advisory, these devices are susceptible to remote access exploits that bypass existing security measures. "The product can send remote access requests to a hard-coded IP address, effectively creating a backdoor for potential malicious activities," the advisory states. This vulnerability threatens not only the integrity of the medical devices but also patient confidentiality, as it could allow unauthorized users to upload harmful files or manipulate stored patient data.

Additionally, two other serious vulnerabilities were disclosed: CVE-2024-12248, which could lead to remote code execution via specially crafted UDP requests (CVSS score: 9.3), and CVE-2025-0683, which transmits unencrypted patient data to a public IP address (CVSS score: 8.2). The implications of these flaws are dire, potentially compromising patient safety and privacy.

CISA strongly advises healthcare facilities using these monitors to immediately disconnect the devices from their networks until patches are available. While there have been no reports of incidents or harm linked to these vulnerabilities, the FDA underscores the urgent need for vigilance in monitoring the devices and their performance.

Contec Medical Systems, the manufacturer based in Qinhuangdao, China, reassured the public that its products are FDA-approved, yet the ongoing challenges in cybersecurity remain a pressing concern for healthcare providers worldwide.