Yesterday, FDA and CISA (Alert Code ICSMA-25–030–01) released a security alert and recall for the Contec Health CMS8000 Patient Monitor (also sold under the name Epsimed MN-120) due to serious cybersecurity vulnerabilities reported by an anonymous researcher. Exploiting these vulnerabilities may allow an attacker to remotely control the devices, compromise the device through an undisclosed backdoor, or exfiltrate PII and PHI data.
Specifically, these vulnerabilities are described as:
- CVE-2024–12248 (CVSS v3.1 base score 9.8; CVSS v4 base score 9.3); Out-of-Bounds Write (CWE-787):
The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution. - CVE-2025–0626 (CVSS v3.1 base score 7.5; CVSS v4 base score 7.7); Hidden Functionality (Backdoor, CWE-912):
The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device. - CVE-2025–0683 (CVSS v3.1 base score 5.9; CVSS v4 base score 8.2); Exposure of Private Personal Information to an Unauthorized Actor (Privacy Leakage, CWE-359):
In its default configuration, the affected product transmits plain-text patient data to a hard-coded public IP address when a patient is hooked up to the monitor. This could lead to a leakage of confidential patient data to any device with that IP address or an attacker in a machine-in-the-middle scenario.
The vulnerabilities could allow all affected Contec and Epsimed patient monitors on a given network to be exploited at the same time, i.e., leading to a multi-patient harm scenario. FDA also noted that some patient monitors may be available with wireless capabilities without FDA authorization.Affected products and firmware versions can be found in the respective FDA and CISA advisories. Further technical detail on the vulnerabilities has been provided by CISA.FDA is not aware of any cybersecurity incidents related to the reported vulnerabilities but recommends removing all Contec CM8000 devices from their networks and, if possible, only relying on local monitoring. At this time there is no software patch available to help mitigate these risks.How Medical Device Manufacturers can avoid similar scenariosProper Secure Development Lifecycle processes (SDLC) would allow for cybersecurity practices that could prevent these types of issues. Enacting security practices such as threat modeling generally leads to a more robust architecture and more secure implementation. Tools such as Software Bill of Materials (SBOM) allow for detection and efficient management of identified security vulnerabilities. Third party pen testing can give manufacturers early exposure to security vulnerabilities and allows them to address risks before market release.Following secure software engineering practices and principles (such as those provided by CISA’s Secure by Design / Secure by Default Framework) helps to identity and remediate common software implementation errors such as elimination of default credentials and settings, establishing internal security controls, use of memory safe languages, use of secure software and hardware components, application of a defense in depth approach, and similar proven practices.In addition, the appropriate postmarket management activities can reduce the impact of findings like these. A Coordinated Vulnerability Disclosure (CVD) process would have allowed for early engagement with the anonymous security researchers. Further, proper postmarket vulnerability management could have allowed for constructive engagement with regulators and timely preparation of a patch.
Resources:
.png)
.png)
%20Bridging%20the%20Gap%20Navigating%20EU%20and%20US%20Medical%20Device%20Cybersecurity%20Regulations.png)
