CVE-2025-0626 HIGH

CVE-2025-0626: Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor

Vendor Contec Health
Product CMS8000 Patient Monitor
Weakness CWE-912
Published January 30, 2025
Last update March 1, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.

Key dates

02Disclosure timeline

January 30, 2025 CVE published
March 1, 2025 Record updated