CISA alerts healthcare sector to hospital management system vulnerabilities

Two vulnerabilities in a hospital information management system by Vertikal Systems could endanger sensitive data if exploited, the Cybersecurity and Infrastructure Security Agency, or CISA, warned in an advisory.

Vertikal Systems is a Romania-based company that serves clients worldwide. The company's hospital management information system, called Hospital Manager Backend Services, was the subject of CISA's advisory. The software product helps hospitals manage various backend operations.

Both flaws were fixed by Vertikal Systems on Sept. 19, 2025, and will be applied to all future releases. Users should work with Vertikal Systems to make sure their systems are up to date.

The first vulnerability, tracked as CVE-2025-54459, is a high-severity flaw that exposed the ASP.NET tracing endpoint /trace.axd without authentication. With this endpoint exposed, a remote attacker could obtain live request traces and sensitive data, including internal file paths, metadata and session identifiers. This vulnerability received a base Common Vulnerability Scoring System (CVSS) v4 score of 8.7.

The second vulnerability, tracked as CVE-2025-61959, received a CVSS v4 base score of 6.9, meaning it is a medium-severity vulnerability.

Prior to Sept. 19, 2025, when the flaw was fixed, the Hospital Manager Backend Services "returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration 'customErrors mode='Off'', which could have facilitated reconnaissance by unauthenticated attackers," CISA stated.

A researcher from Vantage Point Security first discovered the flaws and reported them to CISA.

In addition to working with Vertikal Systems to minimize risk related to this specific product, CISA recommended that users take defensive measures to avoid exploitation, including minimizing network exposure for all control system devices and isolating control system networks from business networks. CISA also recommended using virtual private networks when remote access is required.

"Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents," CISA added.

At the time of publication, CISA had not received any reports of public exploitation of these two vulnerabilities.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.