cbcvebase.
CVE-2025-0626
published 2025-01-30

CVE-2025-0626: The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings…

PriorityP277high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.12%
62.0th percentile
The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.

Affected

1 ranges
VendorProductVersion rangeFixed in
contec_healthcms8000_patient_monitor

Detection & IOCsextracted from sources · hover to see the quote

ip202.114.4.120
ip202.114.4.119
port511
port515-520
processmonitor
snort
alert tcp $HOME_NET any -> 202.114.4.120 511 (msg:"ET INFO Contec Health CMS8000 Patient Monitor Insecure Default HL7 Protocol Server IP (CVE-2025-0626)"; flow:stateless,to_server; reference:url,claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated; reference:cve,2025-0626; classtype:policy-violation; sid:2059840; rev:3; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_02_03, cve CVE_2025_0626, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Minor, updated_at 2026_01_15; target:src_ip;)
snort
alert tcp $HOME_NET any -> 202.114.4.119 [515:520] (msg:"ET INFO Contec Health CMS8000 Patient Monitor Insecure Default CMS Protocol Server IP (CVE-2025-0626)"; flow:stateless,to_server; reference:url,claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated; reference:cve,2025-0626; classtype:policy-violation; sid:2059841; rev:3; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_02_03, cve CVE_2025_0626, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_15; target:src_ip;)
  • Monitor outbound TCP connections from CMS8000 devices to the hard-coded IP 202.114.4.119 on ports 515–520 (CMS protocol). The device's network interface may be forcibly re-enabled even if previously disabled.
  • Deploy Snort/Suricata rule SID 2059840 to detect CMS8000 devices beaconing to 202.114.4.120:511 (HL7 backdoor channel).
  • Deploy Snort/Suricata rule SID 2059841 to detect CMS8000 devices beaconing to 202.114.4.119 on ports 515–520 (CMS protocol backdoor channel).
  • ·The backdoor behavior is embedded in the 'monitor' binary within the device firmware itself; patching or firmware replacement is required to fully remediate — network-level blocking of the hard-coded IPs is a compensating control only.
  • ·Disabling the network interface on the CMS8000 is insufficient as a standalone mitigation; the 'monitor' binary will re-enable it when a firmware update is triggered.
  • ·Both Snort rules use 'flow:stateless,to_server', meaning they fire on any packet direction matching the criteria regardless of TCP session state — tune accordingly to reduce false positives in environments with legitimate traffic to these IP ranges.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.