Multiple flaws, one critical found in Contec Health CMS8000 Patient Monitor

A series of security vulnerabilities are reported in Contec Health's CMS8000 Patient Monitor, a medical device used globally in healthcare facilities.

The findings have prompted both the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) to issue safety communications due to the significant cybersecurity and patient safety risks involved.

Vulnerabilities summary

• CVE-2024-12248 (CVSS score 9.3) - Out-of-Bounds Write. Enables remote code execution through specially crafted UDP requests and allows writing of arbitrary data
• CVE-2025-0626 (CVSS score 7.7) - Hidden Functionality/Backdoor. Contains hardcoded IP address for remote access and permits unauthorized file uploads and overwrites
• CVE-2025-0683 (CVSS score 8.2) - Privacy Leakage. Transmits unencrypted patient data to hardcoded public IP address and exposes confidential patient information

These vulnerabilities allow for simultaneous exploitation of multiple devices within the same network. An attacker could potentially compromise all affected patient monitors in a healthcare facility through a single coordinated attack.

The flaws affect multiple firmware versions of the CMS8000 Patient Monitor, including smart3250-2.6.27-wlan2.1.7.cramfs, CMS7.820.075.08/0.74(0.75), CMS7.820.120.01/0.93(0.95), and others.

CISA and the FDA have recommended immediate removal of affected devices from networks until patches are available. Additional security recommendations include implementing network isolation through firewalls, restricting internet access, updating firewall rules to block unauthorized communications, and deploying subnet segmentation to isolate medical devices on separate, low-privilege network segments.