CVE-2025-61959 is a vulnerability classified under CWE-209, which involves the generation of error messages containing sensitive information. The affected product is Vertikal Systems' Hospital Manager Backend Services, a healthcare management backend system. Prior to September 19, 2025, the backend services returned verbose ASP.NET error pages when handling invalid WebResource.axd requests. These error pages exposed detailed information including the ASP.NET framework and version, stack traces, internal file paths, and revealed that the application was configured with 'customErrors mode="Off"'. This configuration disables custom error pages and instead shows detailed error information to the client. Because these error messages are accessible without authentication or user interaction, unauthenticated attackers can leverage this information leakage to perform reconnaissance on the backend system. Such reconnaissance can reveal software versions and internal structure, which can be used to identify further vulnerabilities or tailor attacks. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. No known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions prior to the fix date, with no specific patch links provided yet. The root cause is insecure error handling configuration in ASP.NET applications, a common issue that can be mitigated by enabling custom error pages and suppressing detailed error output to end users.

For European organizations, especially those in the healthcare sector using Vertikal Systems' Hospital Manager Backend Services, this vulnerability poses a risk of sensitive information disclosure. The leakage of framework versions, stack traces, and internal paths can facilitate attacker reconnaissance, increasing the likelihood of successful targeted attacks such as exploitation of known vulnerabilities in the disclosed software versions or tailored phishing campaigns. Although the vulnerability itself does not directly allow system compromise, it lowers the attacker's effort to map the system and identify weaknesses. This can lead to subsequent attacks impacting confidentiality, integrity, or availability of hospital management systems, potentially disrupting critical healthcare services. Given the sensitivity of healthcare data and the critical nature of hospital operations, even indirect exploitation can have serious consequences including data breaches, operational downtime, and regulatory penalties under GDPR. The medium severity rating reflects the indirect but significant risk posed by information leakage in a critical sector.

To mitigate CVE-2025-61959, organizations should immediately review and update the error handling configuration in their Hospital Manager Backend Services. Specifically, the 'customErrors' setting in the ASP.NET configuration should be set to 'On' or 'RemoteOnly' to prevent detailed error information from being displayed to unauthenticated users. Implement custom error pages that provide generic error messages without revealing stack traces, framework versions, or internal paths. Additionally, ensure that WebResource.axd requests are properly validated and handled to avoid triggering verbose errors. Monitor web server logs for repeated invalid requests to WebResource.axd endpoints, which may indicate reconnaissance attempts. Organizations should also keep abreast of vendor advisories and apply patches or updates once released by Vertikal Systems. Network-level protections such as web application firewalls (WAFs) can be configured to block suspicious requests targeting error-prone endpoints. Finally, conduct regular security assessments and penetration tests to verify that error handling configurations do not leak sensitive information.