FDA, CISA warn of backdoor in popular patient monitor used by US hospitals

Federal agencies are warning hospitals of a backdoor discovered in a popular line of patient monitors sold by Chinese company Contec.

The Cybersecurity and Infrastructure Security Agency (CISA) and Food and Drug Administration (FDA) released warnings on Thursday about an embedded function they found in the firmware of the Contec CMS8000 — hardware used to display information like vital signs, temperature, heartbeat and blood pressure.  

Contec Medical is a medical device company based in Hebei, China. The affected patient monitors are “used in medical settings in the U.S. and European Union,” CISA said. 

The backdoor “may allow remote code execution and device modification with the ability to alter its configuration, introducing risk to patient safety as a malfunctioning patient monitor could lead to an improper response to patient vital signs.”

CISA noted that the Contec CMS8000 may be re-labeled and sold by resellers, with the FDA explaining that Epsimed MN-120 patient monitors are also Contec CMS8000 devices inside.

The FDA said in a statement that the monitors “may be remotely controlled by an unauthorized user or not work as intended.” CISA tagged the vulnerabilities as CVE-2024-12248, CVE-2025-0626 and CVE-2025-0683. 

The FDA said it has not seen any cybersecurity incidents, injuries or deaths that related to the vulnerabilities but warned that the bugs would allow hackers to bypass security controls and manipulate devices.

Contec did not respond to requests for comment. There is no software patch to address the issues discovered by the two agencies.

“The FDA and CISA continue to work with Contec to correct these vulnerabilities as soon as possible.” 

Internet activity

The software on the monitors “includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised,” the FDA said. 

“Once the patient monitor is connected to the internet, it begins gathering patient data, including personally identifiable information (PII) and protected health information (PHI), and exfiltrating (withdrawing) the data outside of the health care delivery environment.”

CISA said the IP address connected to the backdoor is “not associated with a medical device manufacturer or medical facility but a third-party university.” 

The agency did not name the university or its location. CISA and the FDA did not respond to requests for comment about the university.

Patients and healthcare providers should ask healthcare facilities if their devices have remote monitoring features, which allow hospital officials to look at patient vital signals from another location, the agencies said. 

If it is confirmed that a device allows remote monitoring, “unplug the device and stop using it,” the FDA warned. Patients should ask for an alternative patient monitor. 

The agency urged hospital staff to use only local monitoring features, which would allow them to unplug the device’s ethernet cable and disable wireless capabilities. 

“The FDA has authorized these patient monitors only for wired functionality (that is, ethernet connectivity). However, the FDA is aware that some patient monitors may be available with wireless (that is, WiFi or cellular) capabilities without FDA authorization,” the agency noted.

Disclosed by a researcher 

In a longer technical report about the issues, CISA said an external researcher notified the agency of the issues through its Coordinated Vulnerability Disclosure Process. CISA then tested the findings and “discovered what resembles a reverse backdoor within all three of the firmware packages.”

While some companies enable this kind of functionality for updates, CISA said it is unlikely this is the case for the backdoors discovered. They found that the functionality exhibited “highly unusual characteristics that do not support the implementation of a traditional update feature.”

“When the function is executed, files on the device are forcibly overwritten, preventing the end customer — such as a hospital — from maintaining awareness of what software is running on the device,” CISA said. 

“These types of actions and the lack of critical log/auditing data go against generally accepted practices and ignore essential components for properly managed system updates, especially for medical devices.”