Out-of-Bounds Write Vulnerability in Medical Device Software from CISA
CVE-2024-12248

9.3CRITICAL

Key Information:

Vendor: Contec Health
Status: Cms8000 Patient Monitor
Vendor: CVE Published:; 30 January 2025

🔔 Create Contec Health Vulnerability Alert

What is CVE-2024-12248?

The medical device software is susceptible to an out-of-bounds write vulnerability, which may allow an attacker to exploit the system by sending specially crafted UDP requests. This exploitation can lead to the execution of arbitrary code, posing significant risks to the integrity and security of the affected medical devices.

Affected Version(s)

CMS8000 Patient Monitor Firmware version smart3250-2.6.27-wlan2.1.7.cramfs

CMS8000 Patient Monitor Firmware version CMS7.820.075.08/0.74(0.75)

CMS8000 Patient Monitor Firmware version CMS7.820.120.01/0.93(0.95)

References

https://www.cisa.gov/news-events/ics-medical-advisories/i...

https://www.fda.gov/medical-devices/safety-communications...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 30, 2025
Vulnerability Reserved
Dec 5, 2024

Credit

An anonymous researcher reported these vulnerabilities to CISA.