CVE-2024-12248
Published: 30 January 2025
Summary
CVE-2024-12248 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2024-12248 is an out-of-bounds write vulnerability (CWE-787) affecting the Contec Health CMS8000 Patient Monitor. The flaw enables an attacker to send specially formatted UDP requests that allow writing arbitrary data outside intended memory bounds, potentially resulting in remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Any unauthenticated attacker with network access to the affected device can exploit this vulnerability by crafting and transmitting malicious UDP packets. Successful exploitation could achieve full remote code execution on the patient monitor, compromising confidentiality, integrity, and availability with high impact, potentially allowing attackers to alter device functions, exfiltrate sensitive patient data, or disrupt critical healthcare operations.
Mitigation details are outlined in advisories from CISA (ICSMA-25-030-01) and the FDA, available at the referenced URLs, which provide guidance for addressing the vulnerability in Contec and related patient monitors.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50712
Vulnerability details
Contec Health CMS8000 Patient Monitor is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-accessible RCE via crafted UDP packets on a remotely exposed device service matches exploitation of a public-facing or remote application/service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly identifies, reports, and corrects the out-of-bounds write flaw in the patient monitor's UDP processing to eliminate the vulnerability.
Validates incoming UDP requests to ensure they do not contain specially formatted data that triggers out-of-bounds writes.
Implements memory protection mechanisms such as address space layout randomization and stack canaries to mitigate remote code execution from out-of-bounds writes.