Hospital Manager Backend Bugs Show Why Healthcare Apps Can’t Be Internet-Facing

The high-severity flaw, CVE-2025-54459 (CVSS v4: 8.7), stems from the system exposing sensitive data to an unauthorized control sphere, which means attackers could reach information they should never see. A second bug, CVE-2025-61959 (CVSS v4: 6.9), causes error messages to leak sensitive details, giving attackers more context to pivot or escalate. CISA and researchers warned that healthcare organizations using Vertikal’s platform should immediately review where the system is deployed, remove unnecessary external exposure, and apply vendor mitigations because this sits in the clinical/operational workflow layer, not at the edge. The broader issue is recurring: healthcare apps and third-party hospital management platforms remain attractive because they aggregate PHI in one place and are often managed by vendors with uneven patch practices. Healthcare entities must treat these platforms with the same rigor as EHRs—segmented, monitored, and patched on vendor release.

Source.