- I thought a privacy screen protector was a great idea - then I put one on my Galaxy S25 Ultra
- IT変革の旗手:IT戦略室長が語る関西電力のDXビジョンとは
- Taiwan chip tariff would raise industry costs, analysts say
- How many Windows 10 PCs are still in use? No one knows, but they try to tell you anyway
- Red Hat's take on open-source AI: Pragmatism over utopian dreams
CISA Warns of Backdoor Vulnerability in Contec Patient Monitors
A hidden backdoor function embedded in the firmware of the Contec CMS8000 patient monitor has been identified by the US Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability, which includes a hard-coded IP address and the potential for unauthorized access to patient data, exists in all analyzed versions of the device’s firmware.
The Contec CMS8000 is widely used in healthcare facilities across the US and European Union to monitor vital signs, including electrocardiograms (ECGs), heart rate, blood oxygen levels and other critical patient metrics.
Backdoor in Medical Monitors Could Disrupt Patient Care
CISA’s analysis determined the backdoor could allow remote code execution (RCE) and device modifications. If exploited, the vulnerability could disrupt monitoring functions and potentially lead to improper responses to patient vitals.
The backdoor function enables the device to download and execute remote files without verification, bypassing standard update security mechanisms.
The discovery follows reports from an independent security researcher who flagged unusual network activity. Upon further analysis, CISA confirmed that the monitor was attempting to connect to an IP address registered to a third-party university.
CISA found that patient data is automatically transmitted to the same hard-coded IP address upon device startup.
This transmission occurs via port 515, commonly associated with the Line Printer Daemon (LPD) protocol rather than a standard health data protocol. The lack of encryption and logging for these transmissions heightens the risk of sensitive patient information being accessed by unauthorized entities.
Despite vendor-supplied firmware updates, including Version 2.0.8, CISA confirmed that the backdoor function remains present. Although some mitigations were attempted – such as disabling certain network interfaces – the fundamental security risks persist.
However, cybersecurity firm Claroy said the reality of the backdoor is more complicated than it may first appear.
After investigating the firmware of the CMS8000, Claroy’s researchers, Team82, said is most likely not a hidden backdoor, but instead an insecure/vulnerable design that introduces great risk to the patient monitor users and hospital networks.
“Absent additional threat intelligence, this nuance is important because it demonstrates a lack of malicious intent, and therefore changes the prioritization of remediation activities. Said differently, this is not likely to be a campaign to harvest patient data and more likely to be an inadvertent exposure that could be leveraged to collect information or perform insecure firmware updates,” the Team82 researchers said.
Recommendations for Healthcare Providers
CISA and the Food and Drug Administration (FDA) urged healthcare providers to take the following actions:
-
Disable remote monitoring features
-
Disconnect affected devices from network access
-
Seek alternative patient monitors if offline use is not an option
The FDA said they are not aware of any reported cybersecurity incidents linked to this vulnerability but advises facilities to remain vigilant and report any abnormalities.
