CISA, FDA Warn of Dangerous Backdoor in Contec Patient Monitors

The cybersecurity agency CISA and the FDA have urged healthcare organizations in the United States to remove any Contec CMS8000 patient monitors from their environments, due to remote code execution and device tampering risks.

Manufactured by Chinese company Contec Medical Systems, the device is used in the US and the European Union to monitor patients’ vital signs, including heart rate, blood oxygen saturation, blood pressure, and more.

Contec CMS8000, CISA says, contains a backdoor function in its firmware that could allow attackers to upload and overwrite files on the device, bypassing existing device network settings.

“The reverse backdoor provides automated connectivity to a hard-coded IP address from the Contec CMS8000 devices, allowing the device to download and execute unverified remote files. Publicly available records show that the IP address is not associated with a medical device manufacturer or medical facility but a third-party university,” CISA notes in a fact sheet ...