CVE-2025-61959 is a vulnerability classified under CWE-209, which involves the generation of error messages containing sensitive information. Specifically, the Hospital Manager Backend Services by Vertikal Systems, prior to September 19, 2025, returned verbose ASP.NET error pages when handling invalid WebResource.axd requests. These error pages disclosed critical information including the ASP.NET framework version, stack traces, internal file paths, and revealed that the 'customErrors' setting was configured as 'Off'. This misconfiguration allows unauthenticated attackers to gain insights into the backend system's architecture and software versions, facilitating reconnaissance activities that could lead to more sophisticated attacks such as targeted exploitation or privilege escalation. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score of 6.9 reflects a medium severity rating, emphasizing the confidentiality impact due to information disclosure but no direct impact on integrity or availability. No known exploits have been reported in the wild, and no patches or mitigation links were provided at the time of publication. The vulnerability highlights the importance of secure error handling configurations in web applications, especially in critical healthcare environments where sensitive patient data and operational continuity are paramount.

For European organizations, particularly those in the healthcare sector using Vertikal Systems' Hospital Manager Backend Services, this vulnerability poses a significant risk of information leakage. The disclosure of framework versions and internal paths can aid attackers in identifying exploitable software components or misconfigurations, increasing the likelihood of subsequent targeted attacks such as injection flaws, privilege escalation, or ransomware. Given the critical nature of healthcare infrastructure and the sensitivity of patient data, even indirect reconnaissance can lead to severe consequences including data breaches, operational disruptions, and regulatory non-compliance under GDPR. The medium severity rating reflects that while the vulnerability does not directly compromise data integrity or availability, the information exposed can be leveraged to mount more damaging attacks. European healthcare providers must consider this vulnerability as part of their broader risk management and incident response planning to prevent escalation.

To mitigate CVE-2025-61959, organizations should immediately review and update the error handling configuration of the Hospital Manager Backend Services. Specifically, the 'customErrors' setting in the ASP.NET configuration must be set to 'On' or 'RemoteOnly' to prevent detailed error information from being exposed to unauthenticated users. Additionally, implement centralized logging of errors that captures detailed information internally without exposing it to end users. Conduct thorough security testing to ensure no verbose error messages are returned for invalid requests, particularly for WebResource.axd or similar endpoints. Network-level protections such as Web Application Firewalls (WAFs) can be configured to block suspicious requests that trigger error pages. Regularly update and patch the Hospital Manager Backend Services as vendor updates become available. Finally, perform security awareness training for developers and administrators on secure error handling practices and the risks of information disclosure.