Cyber Alert – Patient Monitors (Contec CMS8000)

Kopiha Nathan
Graphic of a figure dressed in black sitting atop a laptop with an open lock beside them. Copy above the computer says Alert.

Attention HIROC Subscribers:

As your proactive partner in safety, HIROC is sharing the following important notice.

Please share this Alert with your Biomedical team, Information Technology (IT) team, Information Security Management team, Chief Information Officer, and Chief Technology Officer and as appropriate with your users, to raise awareness about a potential cyber threat and to address potential risks promptly.

The purpose of this alert is to inform you of a cybersecurity and privacy risk discovered in patient monitors from Contec Health (specifically Contec CMS8000, also marketed as Epsimed MN-120 and possibly re-labeled by other resellers).

These monitors are used to continuously monitor patients’ vitals, including electrocardiogram, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate[i].

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported the discovery of the following vulnerabilities with the Contec CMS8000:

  • An embedded security threat backdoor function with a hard-coded IP address, CWE – 912: Hidden Functionality (CVE-2025-0626), and 
  • Functionality that enables patient data spillage, CWE – 359: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2025-0683)[ii].

These vulnerabilities may lead to:

  • Patient safety risks resulting from remote code execution rendering the device unreliable leading to improper response to patient vital signs.
  • Compromise of hospital network as the backdoor contained in the software can allow threat actors access to connected devices and networks.
  • Data leakage resulting from the affected patient monitors connecting to the internet and sending personal health information (PHI) to an unauthorized party outside[iii].

Currently, a patch is not available to address these vulnerabilities.

HIROC recommends that Subscribers:

  • Increase awareness and educate the clinical team to pay attention to any signs of unusual functioning, such as inconsistencies between the displayed patients’ vitals and the patients’ actual physical state.
  • Take inventory of all possible patient monitors and verify if Contec CMS8000 or its known re-labeled versions are present. 
  • If present, work with the biomedical department and clinical team to safely move them from remote monitoring to local monitoring. Safely disconnect them from the internet and internal network. If not, segregate them from core hospital networks to limit exposure.
  • Work with your Security Operations Centre, Security Team or Information Technology (IT) team to identify anomalies in your network, internet activity, data packet movements, etc.
  • Continue to monitor Health Canda, FDA, Canadian Centre for Cyber Security (CCCS) and CISA for risk mitigation strategies, updated information related to exploitation of these vulnerabilities and important security patch releases.

We are here for you!

In the event of a cyber loss, please contact Marnie MacPhee, Director of Claims at [email protected] (416-730-3056), or HIROC’s Claims Department at [email protected].

For Healthcare Safety and Risk Management resources and advice, please contact us at [email protected].

If you have any questions about this Alert, please contact Kopiha Nathan, HIROC’s Lead, Privacy and Compliance Officer at [email protected] (416-400-7971).

Thank you for your vigilance and attention to this matter.

Kopiha Nathan is HIROC's Lead, Privacy and Compliance Officer.