1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Vertikal Systems
- Equipment: Hospital Manager Backend Services
- Vulnerabilities: Exposure of Sensitive System Information to an Unauthorized Control Sphere, Generation of Error Message Containing Sensitive Information
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to obtain unauthorized access to and disclose sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Vertikal Systems service was affected:
- Hospital Manager Backend Services: Setpember 19, 2025 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 EXPOSURE OF SENSITIVE SYSTEM INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497
Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.
CVE-2025-54459 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-54459. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: