ICSMA-25-030-01 - Contec Health CMS8000 Patient Monitor
.png)
On January 30th 2025, CISA published the Medical Advisory ICSMA-25-030-01 on the topic of Contec Health CMS8000 patient monitors. The advisory refers to 3 CVEs regarding different versions of this medical device:
- CVE-2024-12248 - an out-of-bounds write vulnerability, which could lead to remote code execution,
- CVE-2025-0626 - a hidden backdoor functionality, and
- CVE-2025-0683 - a privacy leakage vulnerability, which is a result of the previous CVE.
While the first vulnerability received the highest CVSS score (9.8 in CVSS version 3.1), the other two vulnerabilities received more media attention. The reason for this is that this is the first time a hidden backdoor functionality was discovered in a medical device.
According to the fact sheet published by CISA, a set of commands in the device firmware mounts a remote NFS share from a host at an IP address that is not registered to the device manufacturer but is registered to a university. CISA published following image from the firmware code shows this behavior, but with the actual IP address blackened out:
A user on the social network X published the full source code, including the hard-coded IP:
The research team created a simulated network, and observed that when the CMS8000 completes its startup routine, it will automatically beacon to the IP address that is hard-coded into the backdoor function. Once a connection is established, patient information is then transmitted via port 515 to the IP address.
However, in a real environment, the team did not observe communication to the university’s IP, only attempts by the device to reach out.
The public disclosure does not contain the actual IP observed in the source code. But, I inspected a user manual for the device available online. In this manual, it seems as if the monitor has a hard-coded server IP address:
The IP mentioned is 202.114.4[.]119, which is a Chinese IP registered to Tsinghua University in Beijing. This matches the IP addressed published on X, and it indeed belongs to a Chinese University:
In another manual found online, this time for CMS v3.0 Central Monitoring System, this IP makes another appearance, as the user is instructed to set it for the server:
If the hospital sets up the Central Monitoring System with this IP address, then the monitors will be directed to send information to it, and not to the external IP owned by Tsinghua University.
Interestingly, the same IP can be also be found in a manual for DPM Central Monitoring Station by Mindary, another Chinese vendor:
The Mindray manual mentions that this IP address is used “for the CMS protocol”, which could be the same CMS protocol that Contec uses, as the monitor in question is called CMS8000.
This brings up another possible explanation for the hard-coded IP - bad coding practices. This is not something that would be unique to this device and this company. Hard-coded configuration is very common in medical devices, including IP addresses and passwords. Requiring that the user define such a hard-coded IP address for an internal server is definitely weirder than most cases we’ve seen, but I think it’s a more likely explanation than a backdoor.
.png)
.png)
