Blog
Explore All Blog Posts

On January 30, 2025, the U.S. Food & Drug Administration (FDA) and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released coordinated notices regarding three vulnerabilities in the Contec CMS8000 patient vital sign monitor, including vulnerabilities in relabeled units such as the EpsiMed MN-120:

The CISA Fact Sheet provides a detailed writeup of the observed behavior and states that the vulnerabilities constitute a backdoor, where the medical device attempts to communicate with an external IP address at an unnamed Chinese university in two ways:

  1. Mounting a Network File System (NFS) share that could give the external IP address remote control of device functions.
  2. Sending patient data via the Health Level Seven (HL7) protocol. (The HL7 protocol is a set of standards for exchanging electronic health information [EHI] between healthcare systems.)

The potential ramifications of this behavior could indeed be alarming. A backdoor into patient vital sign monitors, typically used in an ICU setting, can be devasting. An attack on the integrity or availability of a patient vital sign monitoring device that provides real-time ICU patient status alerts is a very real safety issue. The potential to use a compromised patient vital sign monitor as a beachhead into a hospital network could also have the potential to result in the type of breach or ransomware attack that are seen far too often in the healthcare industry. The serious consequences of transmitting confidential HL7 also cannot be discounted.

This release of the FDA safety communication and CISA ICS medical advisory led to several media sources publishing reports about Contec, a Chinese medical device manufacturer, releasing patient vital sign monitors used by U.S. hospitals with a backdoor.

Cylera Threat Intelligence Research Team Analysis

Following the FDA and CISA disclosures, members of the Cylera threat intelligence research team investigated the three Contec vulnerabilities identified in the FDA safety bulletin by deploying the signatures within the Cylera platform. The Cylera threat intelligence research team found the IP address indicator of compromise (IoC) 202.114.4.119 posted on social media and confirmed that the IP address matched the reported IP address assignment to a Chinese university.

inetnum:, 202.112.0.0 - 202.121.255.255
netname:, CERNET-CN
descr:, China Education and Research Network
descr:, China Education and Research Network Center
descr:, Tsinghua University
descr:, Beijing, 100084
country:, CN
admin-c:, CER-AP
tech-c:, CER-AP
abuse-c:, AC1685-AP
status:, ALLOCATED PORTABLE
remarks:, origin AS4538
mnt-by:, APNIC-HM
mnt-lower:, MAINT-CERNET-AP
mnt-routes:, MAINT-CERNET-AP
mnt-irt:, IRT-CERNET-AP
last-modified:, 2020-09-03T09:16:29Z
source:, APNIC

However, while investigating the nature of the IP address further, the Cylera threat intelligence research team also discovered search engine results for the IP address that produced hits on patient monitoring device manuals from multiple manufacturers.

For example, the Cylera team found multiple references to the IP address in the Contec CMS8000 user manual prepared by the Italian importer Gima Professional Products (specifically the fixed IP address of the Central Monitoring System [CMS} Server).

Figure 1

Figure 2

The Cylera team also found the IP address in the Drager Vista CMS installation manual, where 202.114.4.119 is the default server IP address for the server. The manual specifies that monitors should have addresses on the 202.114.4.0/24 network to communicate with the server.

Figure 3

Figure 4

The Cylera team also found more references in the Mindray Patient Data Share Solution Guide. In this document, users are instructed to verify that patient monitors are on the 202.114.4.0/24 network and again confirm that the default IP address of the CMS server is 202.114.4.119.

Figure 5

Figure 6

The Cylera threat intelligence research team also found similar references in the Mindray VS-800 Vitals Signs Monitor Operator’s Manual.

Figure 7

The IP address is also referenced in other patient monitor manuals, including the Edan M3A Vital Signs Monitor.

Figure 8

In addition to the 202.114.4.119 IP address and accompanying network, Mindray’s Central Monitoring Solution Service Manual references the 196.76.0.0/16 network for internal communication. The network is registered in Morocco.

Figure 9

Figure 10

Cylera Threat Intelligence Research Team Findings

The Cylera threat intelligence research team investigation leads Cylera to believe that the behavior found in the Contec patient vital signs monitor is not, in fact, an intentional backdoor. Instead, it is an unfortunate use of a publicly allocated IPv4 address space in an internal setting. This design was present by default in multiple manufacturers’ patient monitor network architectures for decades.

In a lab setting, a researcher may notice attempts to communicate with the IP address in China. However, we believe that in most production settings, the monitors communicate with an installed CMS server with that IP address on the same isolated VLAN as intended.

The Cylera threat intelligence research team has also shared these findings with the FDA.

This does, however, beg the question — why are patient networks not using private reserved address space for internally isolated networks?

Cylera threat intelligence researchers theorize these network ranges were originally chosen to remove the likelihood of address space collisions with Western healthcare facilities’ enterprise IP networks. This eliminates potential routing conflicts on the bridge between the patient monitoring network and the hospital network, which could require advanced network address translation (NAT) strategies.

Cylera Recommendations

While the Cylera threat intelligence team does not believe traffic has been intentionally transmitted to a Chinese university, there is nothing stopping any entity from exploiting network communication errantly sent their way. Therefore, Cylera recommends IT security and information security teams in healthcare delivery organizations (HDOs) take the following actions:

  1. Implement implicit deny rules on all egress firewalls.
  2. Investigate any attempted external communication and remediate any unauthorized communication issues at once, including cases of misconfiguration.
  3. Consult with patient monitor vendors on the use of reserved address space on monitoring networks.

Learn More

Cylera helps healthcare organizations identify and prevent unauthorized network communications through several key strategies:

  • Asset Discovery and Classification: Cylera's platform provides a detailed, real-time asset inventory for all connected medical devices and IoT assets. This helps organizations understand what devices are on their network and their communication patterns.
  • Secure Communication Traffic Patterns: Cylera can help ensure that healthcare IoT devices communicate only with designated systems, preventing unauthorized communications and potential breaches.
  • Network Segmentation: Through the combination of the Cylera platform device profiling engine, the Cylera network segmentation policy generator,  and Cylera integrations with leading firewall and network access control (NAC) solutions, Cylera can help organizations better isolate and protect their sensitive data and critical systems. This helps prevent unauthorized access to critical healthcare systems and limits the spread of malware.

To learn more about how Cylera can enhance your healthcare cybersecurity, contact us for a personalized consultation or to schedule a demo. We would be happy to share with you how your organization can use the Cylera platform to protect the healthcare IoT and connected medical devices on your network more effectively.