CVE-2025-54459 identifies a critical security vulnerability in the Hospital Manager Backend Services developed by Vertikal Systems. The issue arises from the exposure of the ASP.NET tracing endpoint /trace.axd without any authentication controls prior to September 19, 2025. This endpoint is designed to provide detailed diagnostic information about web requests, including live traces of incoming HTTP requests. When exposed publicly, it allows remote attackers to retrieve sensitive information such as request metadata, session identifiers, authorization headers, server environment variables, and internal file paths. These details can facilitate further attacks, including session hijacking, privilege escalation, and reconnaissance for additional vulnerabilities. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality and the ease of exploitation. No patches or exploit code are currently publicly available, but the absence of authentication on a sensitive diagnostic endpoint represents a significant security oversight. The vulnerability is categorized under CWE-497, which relates to the exposure of sensitive system information to unauthorized entities. This flaw is particularly critical in healthcare environments where patient data confidentiality and system integrity are paramount.

For European organizations, especially those in the healthcare sector using Vertikal Systems Hospital Manager Backend Services, this vulnerability poses a severe risk. Exposure of sensitive system information can lead to unauthorized access to patient data, breach of privacy regulations such as GDPR, and potential disruption of healthcare services. Attackers gaining session identifiers and authorization headers can impersonate legitimate users or escalate privileges, leading to further compromise of hospital IT infrastructure. The leakage of internal file paths and server variables aids attackers in crafting targeted attacks, increasing the likelihood of successful exploitation of other vulnerabilities. Given the critical nature of healthcare services, any compromise could have direct consequences on patient safety and trust. Additionally, regulatory penalties for data breaches in Europe can be substantial, amplifying the financial and reputational impact. The vulnerability’s remote and unauthenticated exploitability means attackers can operate from anywhere, increasing the threat landscape for European hospitals and associated healthcare providers.

European healthcare organizations should immediately audit their Hospital Manager Backend Services deployments to verify if the /trace.axd endpoint is accessible without authentication. If accessible, the endpoint should be disabled or restricted to trusted internal networks only. Implementing strict access controls, such as IP whitelisting or VPN-only access, can reduce exposure. Additionally, review and harden ASP.NET tracing configurations to ensure diagnostic endpoints are not publicly exposed in production environments. Organizations should monitor network traffic for unusual access patterns to the tracing endpoint and review logs for any suspicious activity. Applying security best practices such as regular vulnerability scanning and penetration testing focused on web application endpoints is recommended. If possible, coordinate with Vertikal Systems for official patches or updates addressing this vulnerability. Finally, conduct staff training to raise awareness about the risks of exposing diagnostic endpoints and ensure secure deployment practices are followed.