TRENDING:

Data Privacy , Data Security , Governance & Risk Management

Attackers Could Gain Control of 2 Flawed Patient Monitors

Feds Warn Flaws Could Lead to 'Simultaneous Exploitation' of All Devices Marianne Kolbasuk McGee (HealthInfoSec) • January 30, 2025    
Attackers Could Gain Control of 2 Flawed Patient Monitors
The FDA and CISA are warning about vulnerabilities in two patient monitors, the Contec CMS8000 and the Epsimed MN-120 (Image: Epsimed)

Patients are being advised to sever their health monitor's connection to the internet as U.S. federal authorities warn that cybersecurity vulnerabilities in two brands of patient monitors could allow remote attackers to take control of potentially thousands of devices all at once.

See Also: Using the Netskope HIPAA Mapping Guide

Authorities and researchers say remote attackers could manipulate the vulnerable monitors in many ways - from shutting down a device to stealing patient information. "Simultaneous exploitation of all vulnerable devices on a shared network is possible," according to the Cybersecurity Infrastructure and Security Agency

The Food and Drug Administration in an alert on Thursday said the issues concern two brands of patient monitors - the Contec CMS8000 and Epsimed MN-120. The Epsimed monitors are Contec CMS8000 patient monitors relabeled as MN-120, the FDA said.

The monitors, which are used in both healthcare and home settings for displaying vital sign information such as patient temperature, heart rate, and blood pressure, contain three vulnerabilities that may put patients at risk after being connected to the internet.

"These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device," the FDA said, adding that it not aware of any cybersecurity incidents, injuries or deaths related to these cybersecurity vulnerabilities at this time.

The CISA also issued an advisory about the patient monitor vulnerabilities, which involve out-of-bounds write or CVE-2024-12248, hidden backdoor functionality or CVE-2025-0626, and privacy leakage, or CVE-2025-0683.

"Successful exploitation of these vulnerabilities could allow an attacker to remotely send specially formatted UDP requests or connect to an unknown external network that would allow them to write arbitrary data, resulting in remote code execution," CISA said.

A hacker exploiting the vulnerabilities can deny access to the device, such as cause the device to crash and be unable to work as intended, and to remotely perform unexpected or undesired actions, such as corrupting the data, the FDA said.

An anonymous researcher reported the vulnerabilities to CISA. No patch is currently available to address the vulnerabilities, the FDA said.

Neither Contec nor Epsimed immediately responded to Information Security Media Group's requests for comment on the vulnerabilities.

Taking Action

The FDA recommends that patients and caregivers using the monitors at home should unplug the device’s Ethernet cable and disable its wireless or cellular capabilities so that patient vital signs are only viewable in the physical presence of a patient.

"If you cannot disable the wireless capabilities, unplug the device and stop using it," the FDA said.

The FDA offered healthcare organizations using the monitors in their facilities similar recommendations. "If your patient monitor relies on remote monitoring features, unplug the device and stop using it. If your device does not rely on remote monitoring features, unplug the device’s Ethernet cable and disable wireless capabilities," the FDA said.

"If you cannot disable the wireless capabilities, then continuing to use the device will expose the device to the backdoor and possible continued patient data exfiltration."

CISA said the affected monitors are manufactured in China but deployed worldwide.

Previous
NY Blood Center Attack Disrupts Suppliers in Several States
Next
Nation State Groups Exploit Gemini AI App

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

Moss on AI Disruption: 'Everything, Everywhere, All at Once'
Moss on AI Disruption: 'Everything, Everywhere, All at Once'
Information Security Career Advice: 'Pick Your Battles'
Information Security Career Advice: 'Pick Your Battles'
The Future of CISA in Healthcare in the New Administration
The Future of CISA in Healthcare in the New Administration
What's Ahead for Healthcare Cyber Regs, Legislation in 2025?
What's Ahead for Healthcare Cyber Regs, Legislation in 2025?
Protecting Highly Sensitive Health Data for Research
Protecting Highly Sensitive Health Data for Research
Contingency Planning for Attacks on Critical Third Parties
Contingency Planning for Attacks on Critical Third Parties
Addressing Gen AI Privacy, Security Governance in Healthcare
Addressing Gen AI Privacy, Security Governance in Healthcare
Wanted: An Incident Repository For Healthcare Nonprofits
Wanted: An Incident Repository For Healthcare Nonprofits
Why AI in Healthcare Harkens Back to Early Social Media Use
Why AI in Healthcare Harkens Back to Early Social Media Use
State and Federal Healthcare Cyber Regs to Watch in 2025
State and Federal Healthcare Cyber Regs to Watch in 2025

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.