CVE-2025-0626
Published: 30 January 2025
Description
The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.
Security Summary
CVE-2025-0626 is a vulnerability in the "monitor" binary within the firmware of Contec CMS8000 patient monitors and certain patient monitors from Contec and Epsimed. When triggered by a user attempting a device update from the menu, the binary attempts to mount a network share to a hard-coded, routable IP address, bypassing the device's existing network settings. It also automatically enables the network interface if it is disabled. This functionality effectively creates a backdoor, enabling potential file upload and overwrite capabilities on the device.
The vulnerability can be exploited by any unauthenticated attacker (PR:N) with network access (AV:N) who can induce user interaction (UI:R), such as tricking a user into selecting the update option via the device menu; exploitation involves high complexity (AC:H). Successful exploitation grants high-impact confidentiality, integrity, and availability effects (C:H/I:H/A:H), with an overall CVSS v3.1 score of 7.5, allowing attackers to upload and overwrite files, potentially leading to full device compromise.
Advisories from CISA (ICSMA-25-030-01 and resources on Contec CMS8000) and FDA safety communications detail cybersecurity vulnerabilities in these patient monitors and provide mitigation guidance.
The backdoor connects to an IP address linked to China, as noted in security reporting, highlighting risks in healthcare device firmware supply chains.
Details
- CWE(s)