CVE-2025-0626
published 2025-01-30CVE-2025-0626: The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings…
PriorityP277high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.12%
62.0th percentile
The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contec_health | cms8000_patient_monitor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $HOME_NET any -> 202.114.4.120 511 (msg:"ET INFO Contec Health CMS8000 Patient Monitor Insecure Default HL7 Protocol Server IP (CVE-2025-0626)"; flow:stateless,to_server; reference:url,claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated; reference:cve,2025-0626; classtype:policy-violation; sid:2059840; rev:3; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_02_03, cve CVE_2025_0626, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Minor, updated_at 2026_01_15; target:src_ip;)
snort
alert tcp $HOME_NET any -> 202.114.4.119 [515:520] (msg:"ET INFO Contec Health CMS8000 Patient Monitor Insecure Default CMS Protocol Server IP (CVE-2025-0626)"; flow:stateless,to_server; reference:url,claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated; reference:cve,2025-0626; classtype:policy-violation; sid:2059841; rev:3; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_02_03, cve CVE_2025_0626, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_15; target:src_ip;)
- →Monitor outbound TCP connections from CMS8000 devices to the hard-coded IP 202.114.4.119 on ports 515–520 (CMS protocol). The device's network interface may be forcibly re-enabled even if previously disabled. ↗
- →Deploy Snort/Suricata rule SID 2059840 to detect CMS8000 devices beaconing to 202.114.4.120:511 (HL7 backdoor channel).
- →Deploy Snort/Suricata rule SID 2059841 to detect CMS8000 devices beaconing to 202.114.4.119 on ports 515–520 (CMS protocol backdoor channel).
- ·The backdoor behavior is embedded in the 'monitor' binary within the device firmware itself; patching or firmware replacement is required to fully remediate — network-level blocking of the hard-coded IPs is a compensating control only. ↗
- ·Disabling the network interface on the CMS8000 is insufficient as a standalone mitigation; the 'monitor' binary will re-enable it when a firmware update is triggered. ↗
- ·Both Snort rules use 'flow:stateless,to_server', meaning they fire on any packet direction matching the criteria regardless of TCP session state — tune accordingly to reduce false positives in environments with legitimate traffic to these IP ranges.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p2j3-fm26-85wv: The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so
ghsa_unreviewed·2025-01-30
CVE-2025-0626 [HIGH] CWE-912 GHSA-p2j3-fm26-85wv: The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so
The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device.
VulnCheck
Hidden Functionality
vulncheck·2025·CVSS 7.7
CVE-2025-0626 [HIGH] Hidden Functionality
Hidden Functionality
The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.
Affected: Contec Health CMS8000 Patient Monitor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report
Suricata
ET INFO Contec Health CMS8000 Patient Monitor Insecure Default HL7 Protocol Server IP (CVE-2025-0626)
suricata·2025-02-03·CVSS 7.7
CVE-2025-0626 [HIGH] ET INFO Contec Health CMS8000 Patient Monitor Insecure Default HL7 Protocol Server IP (CVE-2025-0626)
ET INFO Contec Health CMS8000 Patient Monitor Insecure Default HL7 Protocol Server IP (CVE-2025-0626)
Rule: alert tcp $HOME_NET any -> 202.114.4.120 511 (msg:"ET INFO Contec Health CMS8000 Patient Monitor Insecure Default HL7 Protocol Server IP (CVE-2025-0626)"; flow:stateless,to_server; reference:url,claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated; reference:cve,2025-0626; classtype:policy-violation; sid:2059840; rev:3; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_02_03, cve CVE_2025_0626, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Minor, updated_at 2026_01_15; target:src_ip;)
Suricata
ET INFO Contec Health CMS8000 Patient Monitor Insecure Default CMS Protocol Server IP (CVE-2025-0626)
suricata·2025-02-03·CVSS 7.7
CVE-2025-0626 [HIGH] ET INFO Contec Health CMS8000 Patient Monitor Insecure Default CMS Protocol Server IP (CVE-2025-0626)
ET INFO Contec Health CMS8000 Patient Monitor Insecure Default CMS Protocol Server IP (CVE-2025-0626)
Rule: alert tcp $HOME_NET any -> 202.114.4.119 [515:520] (msg:"ET INFO Contec Health CMS8000 Patient Monitor Insecure Default CMS Protocol Server IP (CVE-2025-0626)"; flow:stateless,to_server; reference:url,claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated; reference:cve,2025-0626; classtype:policy-violation; sid:2059841; rev:3; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_02_03, cve CVE_2025_0626, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_0
No public exploits indexed.
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communicationhttps://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/https://www.cisa.gov/resources-tools/resources/contec-cms8000-contains-backdoorhttps://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication
2025-01-30
Published
Exploited in the wild