CISA/FDA Warn: Chinese Patient Monitors Have BAD Bugs
Stop using this healthcare equipment, say Cybersecurity & Infrastructure Security Agency and Food & Drug Administration.
These Chinese patient monitors have at least three security vulnerabilities: Contec’s CMS8000 and its badge engineered clones, such as the Epsimed MN-120. Federal agencies say switch them off (or at least get ’em off the net).
And one CVE has a critical score, of 9.8. In today’s SB Blogwatch, we dust off the old-skool sphygmomanometer.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Houdicadabra.
China Crisis?
What’s the craic? Sneha SK reports: US FDA identifies cybersecurity risks in certain patient monitors
“Unauthorized individuals”
The U.S. Food and Drug Administration [has] identified three cybersecurity risks associated with certain patient monitors from Contec and Epsimed. … Patient monitors, used in both healthcare facilities and home settings, display vital patient information including temperature, heartbeat and blood pressure.
…
The … vulnerabilities in the patient monitors … could allow unauthorized individuals to access and potentially manipulate those devices. … The agency, however, added that it is currently unaware of any cybersecurity incidents, injuries, or deaths related to [the] vulnerabilities.
How bad is it? Steve Alder buries the lede: Backdoor Identified
“CVSS v3.1 base score of 9.8”
A remote code execution vulnerability and a hidden backdoor have been identified in the firmware of widely used patient monitors. … Testing by the Cybersecurity and Infrastructure Security Agency (CISA) determined the backdoor allows patient data to be sent to a hard-coded IP address.
…
After being alerted to firmware vulnerabilities by an anonymous researcher, CISA investigated and confirmed the presence of three vulnerabilities in multiple firmware versions, including a backdoor that silently transfers patient data. … Since patient data is transmitted in plain text, it could be intercepted in a machine-in-the-middle attack. Transmitted patient data includes the doctor’s name, patient ID, patient’s name, patient’s date of birth, and monitoring information. [The] vulnerability is tracked as CVE-2025-0683.
…
A malicious actor could upload and overwrite files on the device. The vulnerability is tracked as CVE-2025-0626. [And a] remote code execution … vulnerability is tracked as CVE-2024-12248 and has been assigned a CVSS v3.1 base score of 9.8.
What should we do? CISA/FDA have these Recommendations for Patients and Caregivers
“Stop using it”
There is no software patch available to help mitigate this risk. … If your health care provider confirms that your device relies on remote monitoring features, unplug the device and stop using it. Talk to your health care provider about finding an alternative.
…
Use only the local monitoring features of the patient monitor. This means unplugging the device’s ethernet cable and disabling wireless … capabilities, so that patient vital signs are only observed … in the physical presence of a patient. If you cannot disable the wireless capabilities, unplug the device and stop using it.
Who’s responsible? jeroenhd informs us thuswise:
Notably, the backdoor uploads data to an NFS share hosted on a [Chinese] university IP (the exact university has not been made clear). Data includes patient names, doctor names, date of birth, and the specific hospital department the patient is at.
A university? bernesto shaves with Occam’s razor:
Everyone jumps on the US-good, CCP-bad bandwagon without using common sense. … Let’s use our critical thinking skills.
…
This was likely just field testing code left over and missed during code review by an underpaid undergrad. Not some nefarious plot to steal your heart rate data.
…
Cheap labor. Ignore the engineers. Ship it. What could go wrong?
So it’s a race to the bottom? I think you ought to know AmiMoJo’s feeling very depressed:
Most of these backdoors, including US and European ones, are for factory testing and debugging. They are incredibly common. … Happens in every country.
…
You can go back year after year of CCC and Defcon talks about them. I’ve been there in my career — business demands for faster manufacturing and the ability for technicians to diagnose and fix problems are strong. Bosses don’t care about security because if they get hacked they blame the “sophisticated state sponsored hacker” and do the bare minimum to fix that specific vulnerability.
Should we be alarmed, though? Yes, says david 12:
If all this backdoor allowed was for the device to send my name, heart rate and CO2 levels to an AI training company in China, I wouldn’t be … alarmed. However, the actual FDA warning is that the open backdoor allows the ability to alter its configuration, introducing risk to patient safety.
…
That justifies alarm.
But are you feeling some déjà vu? DavieBoy certainly is:
Given these from 2022, the devices should have been retired a long time ago:
CVE-2022-36385 – IMPROPER ACCESS CONTROLS – CWE-284
CVE-2022-38100 – UNCONTROLLED RESOURCE CONSUMPTION – CWE-400
CVE-2022-38069 – USE OF HARD-CODED CREDENTIALS – CWE-798
CVE-2022-38453 – ACTIVE DEBUG CODE – CWE-489
CVE-2022-3027 – IMPROPER ACCESS CONTROL – CWE-284
Meanwhile, arglebargle_xiv eyerolls furiously:
This is just the usual yellow-peril scaremongering. Take a product made by a mom and apple pie, flag saluting, gun waving … US company and it’ll also be riddled with vulnerabilities, it just ends up as a conference paper or talk in that case.
And Finally:
Samuel says, “Houdini if the production was decent.”
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Joshua Chehov (via Unsplash; leveled and cropped)