CVE-2025-0626
Vulnerability from cvelistv5
Published
2025-01-30 18:17
Modified
2025-03-01 17:12
Severity ?
7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.
References
ics-cert@hq.dhs.govhttps://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01
ics-cert@hq.dhs.govhttps://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication
af854a3a-2127-422b-91ae-364da2661108https://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/
af854a3a-2127-422b-91ae-364da2661108https://www.cisa.gov/resources-tools/resources/contec-cms8000-contains-backdoor
af854a3a-2127-422b-91ae-364da2661108https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication
Impacted products
Vendor Product Version
Contec Health CMS8000 Patient Monitor Version: All versions
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2025-01-31T15:37:36.861Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  url: "https://www.cisa.gov/resources-tools/resources/contec-cms8000-contains-backdoor",
               },
               {
                  url: "https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication",
               },
               {
                  url: "https://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/",
               },
            ],
            title: "CVE Program Container",
            x_generator: {
               engine: "ADPogram 0.0.1",
            },
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2025-0626",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-30T19:08:00.729447Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-02-12T20:41:36.928Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "CMS8000 Patient Monitor",
               vendor: "Contec Health",
               versions: [
                  {
                     status: "affected",
                     version: "All versions",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "An anonymous researcher reported these vulnerabilities to CISA.",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">The \"monitor\" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.</span>",
                  },
               ],
               value: "The \"monitor\" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.",
            },
         ],
         metrics: [
            {
               cvssV4_0: {
                  Automatable: "NOT_DEFINED",
                  Recovery: "NOT_DEFINED",
                  Safety: "NOT_DEFINED",
                  attackComplexity: "LOW",
                  attackRequirements: "PRESENT",
                  attackVector: "NETWORK",
                  baseScore: 7.7,
                  baseSeverity: "HIGH",
                  privilegesRequired: "NONE",
                  providerUrgency: "NOT_DEFINED",
                  subAvailabilityImpact: "NONE",
                  subConfidentialityImpact: "NONE",
                  subIntegrityImpact: "NONE",
                  userInteraction: "PASSIVE",
                  valueDensity: "NOT_DEFINED",
                  vectorString: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                  version: "4.0",
                  vulnAvailabilityImpact: "HIGH",
                  vulnConfidentialityImpact: "HIGH",
                  vulnIntegrityImpact: "HIGH",
                  vulnerabilityResponseEffort: "NOT_DEFINED",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-912",
                     description: "CWE-912 Hidden Functionality",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-01T17:12:24.132Z",
            orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            shortName: "icscert",
         },
         references: [
            {
               url: "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01",
            },
            {
               url: "https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication",
            },
         ],
         source: {
            advisory: "ICSMA-25-030-01",
            discovery: "EXTERNAL",
         },
         title: "Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor",
         workarounds: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.</p><p>If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.</p><p>Please note that this device may be re-labeled and sold by resellers. For a list of known re-labeled devices, please refer to FDA's <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication\">safety communication</a>.</p>",
                  },
               ],
               value: "Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.\n\nIf asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.\n\nPlease note that this device may be re-labeled and sold by resellers. For a list of known re-labeled devices, please refer to FDA's  safety communication https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication .",
            },
         ],
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
      assignerShortName: "icscert",
      cveId: "CVE-2025-0626",
      datePublished: "2025-01-30T18:17:29.717Z",
      dateReserved: "2025-01-21T17:29:48.728Z",
      dateUpdated: "2025-03-01T17:12:24.132Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2025-0626\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-01-30T19:15:14.010\",\"lastModified\":\"2025-03-01T18:15:34.140\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The \\\"monitor\\\" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.\"},{\"lang\":\"es\",\"value\":\"El producto afectado envía solicitudes de acceso remoto a una dirección IP codificada, omitiendo la configuración de red existente del dispositivo para hacerlo. Esto podría funcionar como una puerta trasera y permitir que un actor malintencionado pueda cargar y sobrescribir archivos en el dispositivo.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-912\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.cisa.gov/resources-tools/resources/contec-cms8000-contains-backdoor\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cisa.gov/resources-tools/resources/contec-cms8000-contains-backdoor\"}, {\"url\": \"https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication\"}, {\"url\": \"https://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/\"}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-01-31T15:37:36.861Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-0626\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-30T19:08:00.729447Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T20:40:20.309Z\"}}], \"cna\": {\"title\": \"Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor\", \"source\": {\"advisory\": \"ICSMA-25-030-01\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"An anonymous researcher reported these vulnerabilities to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Contec Health\", \"product\": \"CMS8000 Patient Monitor\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01\"}, {\"url\": \"https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.\\n\\nIf asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.\\n\\nPlease note that this device may be re-labeled and sold by resellers. For a list of known re-labeled devices, please refer to FDA's  safety communication https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication .\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"<p>Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.</p><p>If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.</p><p>Please note that this device may be re-labeled and sold by resellers. For a list of known re-labeled devices, please refer to FDA's <a target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication\\\">safety communication</a>.</p>\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The \\\"monitor\\\" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"<span style=\\\"background-color: rgb(255, 255, 255);\\\">The \\\"monitor\\\" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.</span>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-912\", \"description\": \"CWE-912 Hidden Functionality\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-03-01T17:12:24.132Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2025-0626\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-01T17:12:24.132Z\", \"dateReserved\": \"2025-01-21T17:29:48.728Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-01-30T18:17:29.717Z\", \"assignerShortName\": \"icscert\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.