Security Breaches

Vertikal Systems Hospital Data Management System Vulnerabilities Identified

By Daniel Lopez

Vertikal Systems vulnerabilities were found in its Hospital Manager Backend Services, which is a hospital data management system. An attacker can remotely exploit one high-severity vulnerability, even in a low complexity attack, to acquire access to and expose sensitive data.

The vulnerabilities impact Hospital Manager Backend Services before September 19, 2025. The vulnerabilities were resolved in the September 19, 2025 version and later releases. Users must update their product and get in touch with Vertikal Systems for help in correcting the vulnerabilities.

CVE-2025-54459 is the most severe vulnerability with an assigned CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.7. The vulnerability is a result of the product disclosing sensitive data to an unauthorized control field. Because the ASP.NET tracing endpoint /trace.axd was exposed without authentication, a remote attacker could get live request traces and sensitive data, including authorization headers, request metadata, session identifiers, internal file paths, and server variables.

CVE-2025-61959 is the second vulnerability, which is a medium-severity vulnerability given a 5.3 CVSS v3.1 base score and a 6.9 CVSS v4 base score. It is caused by the creation of error messages that contain sensitive data. The Hospital Data Management Systems came up with verbose ASP.NET error pages for incorrect WebResource.axd requests, exposing framework data and ASP.NET version data, internal paths, stack traces, and insecure settings, which might have caused reconnaissance by unauthenticated threat actors.

Vantage Point Security’s Pundhapat Sichamnong discovered the vulnerabilities and reported them to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Aside from using the newest version, users of the software, including HIPAA-covered healthcare entities, should disconnect the software from the web and put it behind a firewall. When remote access is necessary, use a protected method of access, for example, a Virtual Private Network (VPN), making sure that it is using the newest version of the software program.

Image credit; khunkornStudio, AdobeStock / logo©VertikalSystems

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

City of Hope Pays $8,500,000 to Resolve its Class Action Data Breach Lawsuit

Willis-Knighton Medical Center Resolves Tracking Technology Lawsuit