Feb 11, 2025 | Beni Yellin, Cyber Research Analyst
CISA issued an advisory on the CONTEC CMS8000 patient monitor, identifying a potential backdoor that connects to a hardcoded Chinese IP address for patient data transmission and firmware updates. CISA warns that this could enable remote code execution and device modification, posing patient safety risks if vital sign data is altered. However, Claroty argues that it is an insecure design rather than a backdoor, noting that the vendor and resellers list the IP in manuals and instruct users to configure the Central Management System (CMS) with it on internal networks.
The CONTEC CMS8000 firmware transmits patient data and receives updates from the CMS. Upon startup, it automatically connects to the hardcoded public IP address and begins transmitting patient information. For remote updates, the device uses NFS (Network File System) to mount an NFS share from the hardcoded IP and copies files without authentication, overwriting system binaries. According to the user manual, this hardcoded IP (which is also external) is meant to be assigned to the CMS so that patient data is sent to the CMS and updates come from the CMS. However, there is no authentication to verify update files, and the use of a public IP exposes the device to external networks, allowing it to send patient data (PHI) outside the intended environment and making it vulnerable to Man-in-the-Middle (MITM) attacks.
CISA and Claroty strongly recommend disabling the CONTEC CMS8000’s internet connectivity to prevent unauthorized remote access and patient data exposure. Organizations should block all outbound connections to the 202.114.4.0/24 subnet (the hardcoded IP), preventing the device from reaching external IP addresses for firmware updates or data transmission. If the CMS must be used, apply static routes and segment networks to ensure traffic stays within internal systems.
This issue underscores the critical need for network segmentation in operational environments to isolate critical devices from internet exposure. Continuous network monitoring with an IDS is essential to detect unauthorized communications and prevent malicious activity, ensuring the security of patient data and medical infrastructure.
