Governance & Risk Management,
Healthcare,
Industry Specific
Agency Warns Vertikal Systems Vulnerabilities Could Help Hackers Access Data
U.S. federal authorities have raised alarms over vulnerabilities in hospital information management systems created by Romania-based Vertikal Systems. These flaws could potentially enable cybercriminals to access and disclose patient data, predominantly affecting smaller hospitals and clinics beyond U.S. borders.
In an advisory released Tuesday, the Cybersecurity Infrastructure and Security Agency (CISA) identified that flaws in Vertikal’s Hospital Manager Backend Services could be exploited remotely with relatively low complexity. CISA warned that “successful exploitation could allow an attacker to gain unauthorized access to sensitive information.”
The first vulnerability involves exposing sensitive system information to unauthorized users, affecting versions of the Vertikal product released prior to September 19. This flaw allows unauthorized access to live request traces and sensitive information, such as session identifiers and authorization headers, due to an unsecured ASP.NET tracing endpoint.
Assigned the identifier CVE-2025-54459, this vulnerability has a CVSS v3.1 base score of 7.5, with a CVSS v4 score of 8.7, indicating a critical threat level. The second vulnerability involves generating error messages that leak sensitive system information, also affecting the product prior to September 19, with the identifier CVE-2025-61959, which has a CVSS v3.1 base score of 5.3.
Experts suggest that these vulnerabilities significantly increase the risk of data breaches. “The flaws may enable hackers to access sensitive data from customer instances, potentially resulting in delays in diagnosis and treatment or exposure of patient information,” said Phil Englert, vice president of medical device security at the Health Information Sharing and Analysis Center.
CISA has indicated that Vertikal systems were patched by September 19. However, users are still encouraged to implement additional security measures to mitigate risks, such as minimizing network exposure and conducting routine monitoring of traffic for suspicious activity. Recommendations include securing remote access through virtual private networks, while recognizing that these solutions can also carry vulnerabilities.
Actionable steps include contacting Vertikal support to ensure that patches are applied promptly. Companies using Vertikal’s products, which are deployed in various regions across the globe, including parts of Europe and the Middle East, are particularly advised to manage these cybersecurity risks proactively and monitor their networks effectively.
This incident illustrates a broader trend where healthcare information systems are becoming increasingly targeted by malicious actors. As cyber threats continue to evolve, it is imperative that organizations within the health sector strengthen their cybersecurity postures and remain vigilant against potential attacks.
