CVE-2024-12248
Published: 30 January 2025
Description
Contec Health CMS8000 Patient Monitor is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution.
Security Summary
CVE-2024-12248 is an out-of-bounds write vulnerability (CWE-787) affecting the Contec Health CMS8000 Patient Monitor. The flaw enables an attacker to send specially formatted UDP requests that allow writing arbitrary data outside intended memory bounds, potentially resulting in remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Any unauthenticated attacker with network access to the affected device can exploit this vulnerability by crafting and transmitting malicious UDP packets. Successful exploitation could achieve full remote code execution on the patient monitor, compromising confidentiality, integrity, and availability with high impact, potentially allowing attackers to alter device functions, exfiltrate sensitive patient data, or disrupt critical healthcare operations.
Mitigation details are outlined in advisories from CISA (ICSMA-25-030-01) and the FDA, available at the referenced URLs, which provide guidance for addressing the vulnerability in Contec and related patient monitors.
Details
- CWE(s)