Hospitals using Vertikal Systems' Hospital Manager are urged to update their systems after researchers uncovered two serious security vulnerabilities.
Security researchers have discovered two vulnerabilities in Hospital Manager Backend Services, a widely used hospital information management system from Vertikal Systems. The most serious flaw, now tracked as CVE-2025-54459, could allow a remote attacker to access sensitive information through a low-complexity exploit. A second, medium-severity flaw (CVE-2025-61959) was also found to disclose internal system details.
The vulnerabilities affect software versions released prior to September 19, 2025. Vertikal Systems has since issued fixes and advises all users to update to the latest version immediately.
The high-severity vulnerability (CVE-2025-54459) was assigned a CVSS v4 score of 8.7. It involves an exposed ASP.NET tracing endpoint (/trace.axd) that lacked authentication. When accessed remotely, this endpoint could leak sensitive information, including request metadata, session tokens, authorization headers, internal server variables, and file paths.
The second flaw (CVE-2025-61959) had a CVSS v4 score of 6.9 and involved verbose error messages generated by invalid requests to WebResource.axd. These messages revealed detailed ASP.NET stack traces, internal paths, and framework versioning information, exposing potentially useful intelligence to attackers conducting reconnaissance.
Both vulnerabilities were discovered by Pundhapat Sichamnong of Vantage Point Security and disclosed to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Vertikal Systems has not issued a public statement, but recommends all users upgrade to the September 19, 2025, release or newer. In addition to applying the patch, users are advised to avoid exposing the system directly to the internet. Instead, organizations should place the system behind a firewall and use secure methods such as VPNs for any remote access.
According to the Cybersecurity and Infrastructure Security Agency (CISA), successful exploitation of vulnerabilities like those found in Vertikal Systems’ Hospital Manager could allow attackers to gain unauthorized access and expose sensitive medical or operational information. CISA urges healthcare organizations to reduce risk by minimizing network exposure, ensuring that hospital systems are not directly accessible from the internet, and isolating them behind firewalls. For facilities that require remote access, CISA advises using secure, up-to-date VPN connections while noting that “VPNs are only as secure as the connected devices.” The advisory reinforces the broader need for hospitals to adopt layered defenses and continuous monitoring to prevent exploitation of healthcare systems.
ASP.NET tracing is a diagnostic feature that logs detailed information about application behavior. If left exposed without authentication, as was the case here, it can leak session tokens, request headers, and internal server details to any remote user.
Verbose error pages often reveal stack traces, software versions, or internal paths. These details can help attackers map a system's architecture and identify specific software vulnerabilities to exploit.
The Common Vulnerability Scoring System (CVSS) is a standard for rating the severity of security vulnerabilities. Scores range from 0.0 to 10.0, with higher scores indicating more serious issues. CVSS v4 offers refined scoring to reflect real-world impact more accurately than earlier versions.
Remote access should only be granted through secure channels such as VPNs. These VPNs should also be updated regularly and configured with strong authentication to minimize exposure.
Yes, provided the system is updated to the patched release from September 19, 2025, or later, and additional security precautions (firewalls, VPNs, non-public exposure) are in place.