Texas Orders Cybersecurity Audit of Chinese-Made Medical Devices After Federal Backdoor Warnings

Governor Abbott's letter was addressed to the Texas Health and Human Services Commission (HHSC), the Department of State Health Services (DSHS), Texas Cyber Command (TXCC), and leaders of the state's public university systems. The core message was direct: state-owned medical facilities need to prove they know what Chinese-made devices are on their networks, and they need to demonstrate that cybersecurity protections are actually in place.

The governor referenced CISA and FDA notices from January 2025 that described specific security vulnerabilities in Chinese-manufactured patient monitoring devices. Those vulnerabilities include the ability for unauthorized actors to access protected health information remotely - a scenario that represents both a patient safety issue and a HIPAA compliance failure waiting to happen.

• All state-owned medical facilities must verify new device purchases comply with Executive Order GA-48, signed in November 2024
• Agencies must catalog every medical device capable of network data transmission or remote access
• Full inventory data must be shared with Texas Cyber Command for security evaluation
• All cybersecurity policies protecting personal health information must be reviewed at every state-owned facility
• Reports and recommendations are due to the Governor's office by April 17, 2026

Abbott signaled he plans to propose legislation in the next session specifically aimed at protecting Texans' medical data from foreign adversaries. The Contec CMS8000 and Epsimed MN-120 patient monitors are already on Texas' prohibited technology list.

CISA's research team tested three firmware packages for the Contec CMS8000 patient monitor. What they found was alarming: every single version contained the same set of vulnerabilities. This wasn't a one-off bug. The problems were baked into the device's firmware across all known versions.

The first vulnerability, CVE-2025-0626, is classified as hidden functionality - essentially a reverse backdoor. The device's firmware contains a hard-coded IP address and actively sends remote access requests to that address, bypassing whatever network settings the device has been configured with. If someone controls that IP address - or intercepts the traffic - they can upload and overwrite files on the monitor. CISA gave this a CVSS v4 score of 7.7.

The second flaw, CVE-2024-12248, is an out-of-bounds write vulnerability. An attacker can send specially formatted UDP requests to the device that write arbitrary data into memory, which opens the door to remote code execution. The CVSS v3.1 score on this one is 9.8 out of 10 - about as critical as it gets. In environments without proper network segmentation, a UDP broadcast could exploit every vulnerable Contec monitor on the network at once.

The third issue, CVE-2025-0683, is a privacy leakage vulnerability with a CVSS v4 score of 8.2. By default, the CMS8000 transmits plain-text patient data - including personally identifiable information and protected health information - to a hard-coded public IP address whenever a patient is connected to the monitor. No encryption. No user opt-in. The device just sends the data.

• CVE-2025-0626 (CVSS 7.7): Embedded backdoor with hard-coded IP address enabling remote file upload and device control
• CVE-2024-12248 (CVSS 9.8): Out-of-bounds write allowing remote code execution via crafted UDP requests
• CVE-2025-0683 (CVSS 8.2): Plain-text patient data transmitted to external hard-coded IP address by default
• CVE-2025-1204 (CVSS 7.7): Additional hidden functionality triggered during startup that mounts to a hard-coded external address

There is currently no patch available from Contec for any of these vulnerabilities. CISA's recommendation is straightforward: remove the devices from your network.

The Contec CMS8000 is a patient monitor used in hospitals, clinics, and home healthcare settings to track electrocardiogram readings, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate. It's manufactured by Contec Medical Systems, headquartered in Qinhuangdao, China. What makes the scope harder to pin down is that the CMS8000 is relabeled and sold by other companies - including as the Epsimed MN-120.

Here's the problem for healthcare IT teams: you might not know you have a Contec device. The FDA has noted that these monitors may appear under different brand names depending on the reseller. The agency recommends verifying the Unique Device Identifier (UDI) to confirm whether a specific unit is actually a relabeled CMS8000.

• Contec CMS8000 - all firmware versions affected, including Version 2.0.6, Version 2.0.8, and intermediate builds
• Epsimed MN-120 - confirmed relabeled CMS8000 with identical vulnerabilities
• Additional relabeled versions may exist under other brand names through third-party resellers
• The device runs an ARM processor on Linux-based firmware with the vulnerable "monitor" binary

The firmware's "monitor" binary contains the backdoor function that makes atypical calls to a "write_cmd" function. During startup, the device activates its ethernet interface via the "ifconfig eth0 up" command - meaning even if someone has disabled the network connection, the device can silently re-enable it and begin sending data. Some models also include Wi-Fi and cellular connectivity, which adds another layer of risk for facilities that thought they had the device air-gapped.

Abbott's directive lays out specific requirements for HHSC, DSHS, public university systems, and Texas Cyber Command. The deadline is tight - April 17, 2026 - and each agency has a defined role in the review process.

• Procurement compliance attestation: HHSC, DSHS, and public university systems must verify that all new medical device purchases comply with Executive Order GA-48, which restricts acquisitions from entities controlled by foreign adversary governments
• Device inventory: Agencies must catalog every state-owned medical device capable of transmitting data via a network or that can be accessed remotely, then share that inventory with Texas Cyber Command
• Cybersecurity policy review: All policies protecting personal health information at state-owned medical facilities must be reviewed, with gaps identified and reported
• HHSC outreach: HHSC must promote awareness of FDA resources for reporting cybersecurity concerns among hospitals and healthcare providers it regulates
• TXCC evaluation: Texas Cyber Command will assess whether the Contec CMS8000, Epsimed MN-120, and any other devices flagged in FDA notices should be added to the state's prohibited technology list
• Policy recommendations: TXCC will convene agency executives to recommend improvements focused on emerging cybersecurity risks, monitoring practices, and mitigation strategies for medical devices

The Texas Cyber Command is the largest state-level cybersecurity department in the country. It was created by Governor Abbott specifically to protect Texans from foreign and domestic cyber threats, and it carries the primary role of evaluating whether additional Chinese-manufactured devices should be banned statewide.

The medical device directive doesn't exist in a vacuum. Texas has been building a systematic approach to limiting Chinese technology influence across state government since late 2024. In November of that year, Governor Abbott issued three executive orders - GA-47, GA-48, and GA-49 - specifically targeting what the administration described as Chinese Communist Party infiltration threats.

Executive Order GA-48 is the one that directly feeds into this medical device review. It requires state agencies and public universities to harden systems, restrict procurement from foreign adversary-controlled companies, prohibit employee gifts and work travel to designated countries, and implement stronger background checks for personnel with access to critical infrastructure.

• In January 2026, Abbott expanded the state's prohibited technology list to include companies like Alibaba, Shein, TP-Link, and CATL
• Texas Attorney General Ken Paxton filed a lawsuit against TP-Link Systems in February 2026 - the first in a planned series targeting Chinese technology companies
• Texas operates a "hostile foreign adversaries unit" within the Department of Public Safety, focused primarily on Chinese cyber threats
• Abbott signed legislation banning hostile foreign adversaries from purchasing Texas land
• Florida followed with its own task force investigating Chinese data collection practices in February 2026

The pattern is clear: state governments aren't waiting for federal action on Chinese technology risks. Texas is moving faster than most, and the medical device directive suggests healthcare-specific cybersecurity requirements could become significantly stricter in the near future - through legislation Abbott plans to propose next session.

The governor's directive targets state-owned facilities. But here's what I've seen in 30 years working in IT: when a state government starts banning equipment, private sector compliance requirements follow. The FDA and CISA warnings apply to everyone using these devices - not just state agencies. If you're a healthcare practice in Houston, Katy, Sugar Land, or anywhere across the metro area, you should be treating this as a call to action for your own network.

The real risk for small and mid-sized healthcare businesses isn't just these two specific devices. It's the broader question: do you actually know what's on your network? We see this pattern at least twice a month with Houston businesses - a connected device that nobody in the office realizes is sending data somewhere it shouldn't be. Patient monitors are just the tip of the iceberg. Infusion pumps, imaging equipment, building access systems, even smart thermostats in medical offices can be manufactured by Chinese companies with unknown firmware behaviors.

• Conduct a full inventory of every network-connected medical device in your facility, including devices you didn't realize were network-capable
• Check the manufacturer and country of origin for each device - relabeled products make this harder than it sounds
• If you have Contec CMS8000 or Epsimed MN-120 monitors, disconnect them from your network or block outbound traffic to 202.114.4.0/24
• Implement network segmentation to isolate medical devices from your core business network and electronic health records systems
• Review your HIPAA risk assessment - unpatched medical device vulnerabilities are exactly the kind of finding that can turn into a compliance issue if patient data is exposed
• Monitor for upcoming Texas legislation that could extend device restrictions to private healthcare providers

If you're not sure where to start, that's exactly the situation where working with a local IT support provider who understands healthcare cybersecurity requirements makes a measurable difference. This isn't the kind of problem that a one-time scan will fix. You need ongoing visibility into what's connected to your network and where it's sending data.