Vertikal Systems Hospital Manager Backend Services

Plan PatchCVSS 7.5ICS-CERT ICSMA-25-301-01Oct 28, 2025

Healthcare

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vertikal Systems Hospital Manager Backend Services contains information disclosure vulnerabilities (CWE-497 and CWE-209) that allow an attacker to obtain unauthorized access to and read sensitive information without authentication. The vulnerabilities stem from exposure of sensitive data in error messages and improper handling of confidential details. Successful exploitation could disclose patient data or operational information used to manage hospital systems.

What this means

What could happen

An attacker with network access to the Hospital Manager Backend Services could read sensitive patient or system information without authentication. This could expose confidential medical data or operational details used to manage hospital systems.

Who's at risk

Healthcare organizations operating Vertikal Systems Hospital Manager Backend Services, including hospital IT staff responsible for clinical system management, patient data security officers, and system administrators who depend on this backend for hospital operations and patient record management.

How it could be exploited

An attacker on the network reaches the Hospital Manager Backend Services on its listening port(s) and sends crafted requests that exploit information disclosure vulnerabilities (CWE-497: exposure of sensitive data, CWE-209: information in error messages) to extract confidential information without providing credentials.

Prerequisites

Network access to Hospital Manager Backend Services listening ports
No authentication required

remotely exploitableno authentication requiredlow complexityaffects sensitive data systems

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

Hospital Manager Backend Services: <=September_19_2025≤ September 19 2025September_19_2025

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to Hospital Manager Backend Services to only authorized management and clinical workstations; block direct access from the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Hospital Manager Backend Services to September 19, 2025 or later

Long-term hardening

0/2

HARDENINGDeploy the Hospital Manager Backend Services behind a firewall and isolate it from business networks using network segmentation

HARDENINGIf remote access to Hospital Manager Backend Services is required, use a VPN with current security updates instead of direct Internet exposure

CVEs (2)

CVE-2025-54459 CVE-2025-61959

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/539848eb-3a4a-4a35-a1d6-ccac55648546

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.