CVE-2025-1204

Description

The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.

Remediation

Workaround:

Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks. If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.

References

Link	Tags
https://claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated?ref=vault33.org	third party advisory
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01	government resource

Frequently Asked Questions

What is the severity of CVE-2025-1204?: CVE-2025-1204 has been scored as a high severity vulnerability.
How to fix CVE-2025-1204?: As a workaround for remediating CVE-2025-1204: Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks. If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Is CVE-2025-1204 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-1204 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-1204?: CVE-2025-1204 affects Contec Health CMS8000 Patient Monitor.

Description

Remediation

Category

CWE-912 – Hidden Functionality

References

Frequently Asked Questions