Agency Warns Vertikal Systems Vulnerabilities Could Help Hackers Access Data

Marianne Kolbasuk McGee (HealthInfoSec) •
October 29, 2025    

Hospital System Flaws Could Leak Patient Data, CISA Says
CISA is warning that vulnerabilities in certain Vertikal Systems hospital information management software pose potential hacking risks. (Image: Vertikal)

U.S. federal authorities are warning about vulnerabilities in hospital information management systems from Romanian firm Vertikal Systems that could allow hackers to obtain and disclose patient data. The affected systems are used mostly by smaller hospitals and clinics outside the United States.

See Also: Tokenization, Authentication, and the Future of Machine-Led Transactions

The Cybersecurity Infrastructure and Security Agency in an advisory Tuesday said the flaws discovered in Vertikal’s Hospital Manager Backend Services can be remotely exploited with low attack complexity.

“Successful exploitation of these vulnerabilities could allow an attacker to obtain unauthorized access to and disclose sensitive information,” CISA said.

The first of the two Vertikal system vulnerabilities involves “exposure of sensitive system information to an unauthorized control sphere” affecting the Vertikal product prior to Sept. 19.

“The Hospital Manager Backend Services exposed the ASP.NET tracing endpoint trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables and internal file paths,” CISA wrote.

That vulnerability has been assigned as CVE-2025-54459, with a calculated CVSS v3.1 base score of 7.5, CISA said. In addition, a CVSS v4 base score of 8.7 has also been calculated for the CVE-2025-54459 vulnerability.

The second Vertikal vulnerability is described as the “generation of an error message containing sensitive information,” also affecting the hospital information system product prior to Sept. 19.

“The Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths and the insecure configuration ‘customErrors mode=”Off”‘ – which could have facilitated reconnaissance by unauthenticated attackers,” CISA wrote.

CISA said CVE-2025-61959 has been assigned to this vulnerability, receiving a CVSS v3.1 base score of 5.3 and a CVSS v4 base score of 6.9.

Alt text goes hereCISA recommends Vertikal systems users to mitigate the recently discovered flaws. (Image: CISA)

The flaws put Vertikal systems at risk for data compromises, experts said.

“The vulnerabilities impacting the Vertikal healthcare information management products may enable hackers to access sensitive data from customer instances,” said Phil Englert, vice president of medical device security at the Health Information Sharing and Analysis Center.

“This may result in delays in diagnosis, treatment, or exposure of patient information,” he said.

Pundhapat Sichamnong, a researcher at security firm Vantage Point Security, reported the findings to CISA. Neither Sichamnong nor Vertikal Systems immediately responded to Information Security Media Group’s request for additional details about the vulnerabilities.

Mitigation Measures

CISA said Vertikal “fixed” the vulnerabilities by Sept. 19. Still, the agency recommends users of the product take other measures to minimize the risk of these vulnerabilities being exploited. That includes minimizing network exposure for all control system devices and systems to ensure they are not accessible from the internet; and setting control system networks and remote devices behind firewalls and isolating them from business networks.

“When remote access is required, use more secure methods, such as virtual private networks, recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize the VPN is only as secure as the connected devices.”

Axel Wirth, chief security strategist at security firm Medcrypt, said the additional recommendations from CISA are important.

“CISA provides good guidance on how to address this vulnerability but much of it can be adopted as general security practices, specifically to stay informed about your suppliers’ security alerts and to architecturally minimize systems’ network exposure,” he said.

“No matter whether a vulnerability has been disclosed or not, it is good practice to isolate critical systems, to segment networks to avoid exposure and to monitor network traffic for suspicious events.”

Englert also recommends Vertikal users take action to ensure the vulnerabilities potentially affecting their systems are indeed patched. “Vertikal has fixes available and all customers are encouraged to contact Vertikal support to obtain and apply the updates as quickly as possible,” he said.

CISA’s alert indicates that the affected Vertikal’s products are deployed “worldwide.”

Vertikal’s website indicates the company’s products are sold or used in Lebanon, Turkey, Iraq, Egypt, Bahrain, Guatemala, Trinidad and Tobago, Malaysia, Myanmar, Papua New Guinea, Pakistan, Saudi Arabia, Nigeria, Ghana, Kenya, Zambia, Botswana, Somalia, Somaliland, New Zealand and some European countries including Romania. “It does not seem to have a U.S. or Canada presence,” Wirth said.