Contec Health CMS8000 Patient Monitor (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSMA-25-030-01Jan 30, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Contec CMS8000 Patient Monitor contains multiple vulnerabilities (CWE-787, CWE-912, CWE-359) that allow remote code execution through specially formatted UDP requests or network connections without authentication. Successful exploitation allows an attacker to write arbitrary data to device memory and execute code. The device also leaks patient information and sensor data to external networks. All firmware versions are affected, and simultaneous exploitation of multiple devices on a shared network is possible. The vendor has stated no patches will be released (device end-of-life status).

What this means

What could happen

An attacker can remotely execute code on the CMS8000 patient monitor by sending specially formatted network requests, potentially altering device operation and leaking sensitive patient data and sensor readings to unauthorized external networks.

Who's at risk

Healthcare facilities and hospitals using Contec CMS8000 patient monitors. This includes any re-labeled versions of the device sold by other vendors. The vulnerability affects all versions of the firmware and can impact entire networks of these monitors simultaneously.

How it could be exploited

An attacker on the network sends specially formatted UDP requests or initiates connections to the device, which are processed without proper validation. The device writes arbitrary data to memory and executes the attacker's code. Patient information and sensor data are simultaneously exfiltrated to an external IP address (202.114.4.119 or 202.114.4.120) that the attacker controls.

Prerequisites

Network access to the CMS8000 device (UDP or TCP connection capability)
Device must be connected to a network
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (vendor will not fix)Affects medical device for patient monitoringData exfiltration risk (patient information)Simultaneous exploitation possible

Exploitability

Some exploitation risk — EPSS score 3.4%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

CMS8000 Patient Monitor Firmware: CMS7.820.075.08/0.74(0.75)CMS7.820.075.08/0.74(0.75)No fix (EOL)

CMS8000 Patient Monitor Firmware: CMS7.820.120.01/0.93(0.95)CMS7.820.120.01/0.93(0.95)No fix (EOL)

CMS8000 Patient Monitor: vers:all/*All versionsNo fix (EOL)

CMS8000 Patient Monitor Firmware: smart3250-2.6.27-wlan2.1.7.cramfssmart3250-2.6.27-wlan2.1.7.cramfsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/4

HARDENINGRemove Contec CMS8000 devices from your network

WORKAROUNDIf removal is not possible, block outbound traffic to 202.114.4.0/24 at the network firewall, or specifically block 202.114.4.119 and 202.114.4.120

HARDENINGPlace all connected CMS8000 devices on a separate, low-privilege network subnet isolated from clinical and business networks

HARDENINGPrevent direct internet access from the CMS8000 device network by placing all devices behind a firewall with restrictive inbound and outbound rules

CVEs (4)

CVE-2024-12248 CVE-2025-0626 CVE-2025-0683 CVE-2025-1204

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dcb9cd2f-e8ae-403b-8aae-9fb9001b12aa

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.