CVE-2025-13596 is a vulnerability classified under CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-200 (Information Exposure). It affects ATISoluciones CIGES Application version 2.15.6 and earlier. The root cause is the application's error handling mechanism that, upon encountering unexpected conditions or unhandled exceptions, returns verbose error messages including stack traces and internal system details directly to the client. These messages can disclose sensitive information such as internal filesystem paths, SQL query structures, database connection parameters, and environment configuration data. Because the vulnerability is exploitable remotely without authentication or user interaction, an attacker can perform information gathering and reconnaissance activities to better understand the target environment. However, the vulnerability does not allow direct compromise, privilege escalation, or denial of service. The CVSS v4.0 base score is 2.7, reflecting the limited impact and ease of exploitation. No patches or fixes have been released at the time of publication, and no active exploitation has been reported. The vulnerability highlights the importance of secure error handling practices, such as sanitizing error messages and logging detailed errors only internally.

For European organizations using ATISoluciones CIGES Application version 2.15.6 or earlier, this vulnerability poses a risk of sensitive information leakage that could facilitate further targeted attacks. Disclosure of internal filesystem paths and database details can aid attackers in crafting SQL injection or other injection attacks, identifying software versions, or locating critical files. Although the vulnerability itself does not allow direct system compromise, it lowers the barrier for attackers by providing reconnaissance data. This is particularly concerning for organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, or government agencies. The exposure of environment configuration data may also reveal security misconfigurations or credentials. The overall impact is moderate in the attack chain context, as it can be a stepping stone for more severe attacks if combined with other vulnerabilities.

European organizations should immediately review their deployment of ATISoluciones CIGES Application and identify any instances running version 2.15.6 or earlier. Until a vendor patch is available, the following specific mitigations should be applied: 1) Disable detailed error messages and stack trace outputs in production environments by configuring the application or web server to show generic error pages. 2) Implement centralized logging of detailed errors accessible only to trusted administrators to avoid information leakage. 3) Conduct code reviews or configuration audits to ensure that error handling routines do not expose sensitive data. 4) Employ web application firewalls (WAFs) to detect and block suspicious requests that trigger error conditions. 5) Monitor logs for repeated error message requests that may indicate reconnaissance attempts. 6) Engage with ATISoluciones for timely updates or patches and plan for prompt deployment once available. 7) Educate development and operations teams on secure error handling best practices to prevent similar issues in future releases.