A potential security backdoor leading to a China-based IP address has been found in a family of patient monitoring devices used in Australian healthcare, according to the Cybersecurity and Infrastructure Security Agency (CISA).
On 30 January, US cybersecurity watchdog CISA issued a security alert for a backdoor in the Contec CMS8000 line of patient monitors.
The devices – which are manufactured in China and used to monitor human vital signs across patients in Australia, the US and the EU – were found to have an update mechanism which sent remote access requests to a China-based IP address not linked to a medical facility or device manufacturer, but to a third-party university.
“The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so,” wrote CISA.
The backdoor (tracked as CVE-2025-0626) could effectively allow remote code execution and “device modification” with the ability to alter settings, according to CISA.
The agency warned of a “risk to patient safety” given a malfunctioning monitor could result in improper responses to vital signs – such as heart rate, blood pressure and respiration rate – being displayed on device.
“CISA recommends users remove any Contec CMS8000 devices from their networks,” the agency warned.
Cybersecurity firm Claroty meanwhile voiced scepticism over the apparent backdoor, arguing it may just be a non-malicious design flaw rather than a “hidden functionality” as suggested by CISA.
FDA warns staff to unplug device
The US Food and Drug Administration (FDA) backed CISA’s alert with a safety announcement of its own, warning health care providers, patients and caregivers CMS8000 devices could “put patients at risk after being connected to the internet”.
The FDA further warned cybersecurity staff at health care facilities to only use the local monitoring features of the device.
“If your patient monitor relies on remote monitoring features, unplug the device and stop using it,” said the FDA.
Government agencies have warned the Contec CMS8000 (pictured) should be unplugged. Photo: Contec
Both CISA and the FDA warned of an additional ‘out-of-bounds write’ vulnerability (tracked as CVE-2024-12248) which could allow attackers to effectively trick the device’s software into allowing remote code execution.
A third vulnerability report (CVE-2025-0683) showed that when CMS8000 completes its default start-up routine, the device automatically beacons to the China-based IP address and transmits patient data to it.
Information Age understands this data could include patient numbers, admission dates, names, dates of birth and relevant hospital departments.
“This could lead to a leakage of confidential patient data to any device with that IP address, or an attacker in a machine-in-the-middle scenario,” wrote CISA.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at the time of writing.
Horrible design at best, a malicious backdoor at worst
Notably, CISA described the China-based IP and its related “backdoor” update mechanism as a “hidden functionality”.
Claroty’s research team, Team82, however, found the IP address was explicitly listed and used for configuration advice in CMS8000 manuals – which is notable given backdoor vulnerabilities are typically clandestine and undocumented in nature.
“We identified this not as a hidden backdoor but instead as a serious design issue [because] the entire interaction with the hardcoded IP address was not hidden functionality, which is characteristic of a backdoor,” Team82 vulnerability researcher Noam Moshe told Information Age.
“Instead, the communication with this IP address is clearly listed in the product documentation.”
Team82’s findings suggest it was “not likely” CMS8000 was housing a campaign to harvest data, but more probably had an “inadvertent exposure” that could be leveraged for malicious purposes in the wrong hands.
While the team’s research was rather involved, Information Age understands the underlying design flaw relates to Contec’s use of a public IP address format for what conventionally should have been a strictly private format for local networks.
Under the wrong circumstances – such as when a user strays from their default network configuration – the device’s update routines could accidentally fetch data from over the internet, opening the risk of interceptive attacks and, potentially, code execution.
Moshe stressed that while the public-facing servers are not currently serving malicious binaries, this “could change in the future”.
“This is such a serious issue because it introduces major risk to these devices,” said Moshe.
“A malicious actor could gain control of the IP addresses and use them to serve malicious code and control monitors around the world.”
Team82 ultimately determined the patient monitors “are still running vulnerable code” and recommended replacing them with a “more secure device” while the vulnerabilities persist.
