Assessment
CFSE Consequence Paths assesses Contec CMS8000 out-of-bounds write via UDP at EMERGENCY — the worst of 2 risk paths (safety). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Contec CMS8000 out-of-bounds write via UDP. Reported attack vector: Network.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → EMERGENCY
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:3/EX:3/PH:4/DP:3/AT:3/CH:4/SR:4/SX:4/OR:4/EV:2/LS:ACTIVE
Exposure EX=3 (execution complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=CRITICAL → base CRITICAL · uplift fleet-reachable authority, recall-class recovery → assessed EMERGENCY.
- RE4 — single unauthenticated UDP datagram, network-reachable (same-VLAN/on-path) is default/internet-style exposure.
- EC3 — OOB write with controllable offset, no auth/handshake — standard researcher exploitation workflow.
- AT3 — code exec in monolithic root monitor process is full device-control/admin command authority, but not a signing/OTA/trust-root, so not 4.
- PH4 — a patient monitor under attacker control can falsify vitals or suppress alarms -> credible wrong-therapy/missed-event injury.
- DP3 — vitals are health/sensitive operational state.
- perception_feeds_action — true: monitor readings drive clinical decisions/therapy.
- CH4 — + boundary_crossing: RCE bridges network->device->safety domain, reusable.
- SR4 — identical firmware across all units and rebrands.
- SX4 — remotely reachable on a flat network, no per-device physical access.
- OR4 — no patch, CISA says remove from network -> fleet-level remediation.
- EV2 — report-backed advisory, not independently reproduced here.
DEVICE_AVAILABILITY → EMERGENCY
CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:4/EC:4/EX:4/PH:4/DP:0/AT:2/CH:3/SR:4/SX:4/OR:4/EV:2/LS:ACTIVE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=ELEVATED · AT=CRITICAL → base EMERGENCY · uplift recall-class recovery → assessed EMERGENCY.
- RE4 — same unauthenticated network-reachable UDP datagram.
- EC4 — triggering an OOB write to crash/hang the monolithic process is trivial — a single malformed datagram, easier than reliable RCE.
- AT2 — crashing the process is bounded component/session disruption, not config/command authority.
- PH2 — loss of monitoring availability disrupts the workflow/alarming but is degraded-monitoring rather than direct dangerous actuation (clinician can notice an offline monitor).
- DP0 — a crash exposes no data.
- CH3 — contributes to a denial chain and crosses network->device boundary but is less of a reusable cross-domain authority bridge than full RCE.
- SR4 — same firmware fleet-wide.
- SX4 — remote, fleet-scale on flat network.
- OR4 — no patch, removal from network required.
- EV2 — report-backed.
Published baseline
- v4.0 9.3 CRITICAL —
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X — CISA/ICS-CERT via NVD
- v3.1 9.8 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — CISA/ICS-CERT via NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources