CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor

By Leave a Comment
Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a backdoor embedded in the firmware of the Contec CMS8000, a patient monitor used in U.S. healthcare facilities.

The Contec CMS8000 is manufactured by Contec Medical Systems, a China-based company supplying medical devices to hospitals and clinics worldwide, including the U.S. and the European Union. The device continuously monitors key patient vitals such as electrocardiograms, heart rate, blood oxygen levels, and blood pressure. While it may be rebranded and sold under different names by resellers, the backdoor exists across all analyzed versions of its firmware.

Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor
The Contec CMS8000 device
CISA

The security issue is tracked under CVE-2025-0626 and CVE-2025-0683. The first CVE ID concerns a hidden function with a hard-coded IP address, potentially allowing remote code execution and unauthorized modifications. The second flaw concerns the exposure of patient data to unauthorized access, raising serious privacy and security concerns.

CISA's investigation, prompted by an external security researcher, analyzed three versions of the CMS8000 firmware, including version 2.0.6 and two pre-release versions. The agency discovered a reverse backdoor that connects automatically to a hard-coded IP address linked to a third-party university, enabling the device to download and execute unverified remote files. This mechanism lacks integrity checks, logging, or version tracking, making it an unsafe and highly unusual firmware update method. Furthermore, upon device startup, patient data, including vital signs, is transmitted via port 515 to the same IP address.

Contec Monitors Used in U.S. Hospitals Carry Chinese Backdoor
The backdoor code
CISA

Despite receiving two patched firmware versions from Contec, CISA found that the backdoor remained present, even in the latest version 2.0.8. The modifications made by Contec, such as disabling the network interface eth0 in the firmware, did not neutralize the backdoor, as it reactivates network connectivity before executing suspicious functions.

Mitigation and recommendations

CISA and the FDA recommend that healthcare providers take immediate action to mitigate the risks associated with the Contec CMS8000:

  • Patients and caregivers should consult healthcare providers to determine if their device relies on remote monitoring. If so, they should unplug it and seek an alternative.
  • Hospitals and IT teams should disable the device’s network connectivity (wired and wireless). If this is not possible, they should discontinue use.
  • Healthcare providers should monitor the CMS8000 for unusual behavior, such as discrepancies in displayed patient vitals, and report any anomalies to the FDA.

At this time, no official software patch has been released to fully eliminate the vulnerabilities. The presence of this backdoor raises critical concerns about medical device security and patient safety, prompting further scrutiny into the cybersecurity practices of medical device manufacturers operating in the U.S.​

About Bill Mann

Bill specializes in explaining complex technical topics to a non-technical audience. In his 30+ year career, he has covered many of the technological advances that shape our lives. Today, Bill uses those skills to help people protect their privacy and security against the ever-growing assaults on both.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *