Malware Discovered in Healthcare Patient Monitors, Traced to Chinese IP Address

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding multiple vulnerabilities identified in Contec Health’s CMS8000 Patient Monitor.

These flaws pose significant security risks, potentially allowing remote attacks, privacy breaches, and unauthorized data access.

The vulnerabilities, rated as highly severe with a CVSS v4 score of up to 9.3, could be exploited with low attack complexity, thereby threatening critical healthcare systems worldwide.

Details of Vulnerabilities

Three key vulnerabilities were identified in the patient monitor’s firmware.

The first is an out-of-bounds write vulnerability (CWE-787, CVE-2024-12248), which allows attackers to send specially formatted UDP requests, enabling arbitrary data writing and remote code execution.

This flaw has been assigned a CVSS v3.1 score of 9.8 and a CVSS v4 score of 9.3, highlighting its critical nature.

The second vulnerability is a hidden functionality exploit (CWE-912, CVE-2025-0626), where the device connects to a hardcoded external IP address, bypassing network settings and effectively functioning as a backdoor.

This could allow unauthorized actors to overwrite files on the device or compromise its integrity. It carries a CVSS v4 score of 7.7.

The third flaw concerns privacy leakage (CWE-359, CVE-2025-0683), where patient data is transmitted in plaintext to a public IP address, enabling possible interception or leakage of sensitive information.

This vulnerability, which affects all versions of the CMS8000 firmware, has been rated as having a CVSS v4 score of 8.2.

The vulnerabilities collectively present a significant risk to patient privacy and healthcare infrastructure security.

Implications and Risk Evaluation

Successful exploitation of these vulnerabilities could enable attackers to compromise patient monitors remotely, execute arbitrary code, and leak sensitive patient information.

A simultaneous attack on multiple devices within a shared network is feasible, amplifying the potential damage to healthcare facilities.

The Food and Drug Administration (FDA) has also issued a safety communication regarding these risks.

CISA strongly advises healthcare organizations to immediately remove Contec CMS8000 devices from their networks due to the severity of the vulnerabilities.

Additional measures include isolating medical devices on low-privileged subnets, minimizing their exposure to external networks, and updating firewall configurations to prevent unauthorized access.

CISA also recommends using trusted manufacturers for critical systems and conducting comprehensive risk assessments before implementing any defensive measures.

The vulnerabilities, reported by an anonymous researcher, highlight the importance of securing industrial control systems in healthcare technology.

CISA has provided further technical guidance and best practices for industrial control system defense on its website.

Although no public exploitation targeting these vulnerabilities has been identified so far, organizations are urged to remain vigilant and report suspicious activity to CISA.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free