Executive Summary
In September 2025, Vertikal Systems disclosed two critical vulnerabilities affecting its Hospital Manager Backend Services. The first flaw (CVE-2025-54459) allowed unauthorized, remote access to the ASP.NET tracing endpoint, potentially exposing sensitive data such as authorization tokens and server metadata. The second (CVE-2025-61959) disclosed verbose error pages on invalid requests, inadvertently leaking application stack traces and configuration files. Both issues were exploitable without authentication, posing significant data privacy and operational risk across healthcare sites globally.
This incident spotlights ongoing risks to healthcare organizations due to misconfigurations and unnecessary exposure of sensitive developer endpoints. With increasing regulatory pressure on patient data security and the healthcare sector's targeted threat profile, such vulnerabilities could lead to compliance violations or facilitate wider attacks.
Why This Matters Now
Healthcare and critical infrastructure providers remain frequent targets for cyberattacks exploiting simple configuration errors. As healthcare regulatory scrutiny intensifies and attackers innovate in reconnaissance, exposure of internal endpoints and verbose application errors create urgent, high-impact risks.
Attack Path Analysis
A remote attacker exploited an unauthenticated and exposed ASP.NET tracing endpoint to retrieve sensitive system traces and error messages. Using this information, the attacker could enumerate the environment and potentially escalate privileges by identifying session tokens or authorization headers. With internal information disclosed, lateral movement to additional systems may occur by targeting related endpoints or services. If successful, the attacker could establish covert communications for command and control or stage further attacks. Sensitive data may then be exfiltrated via outbound channels, and though the primary risk is data exposure, deeper impact such as reputational damage or enabling further attacks could result.
Kill Chain Progression
Initial Compromise
Description
The attacker remotely accessed the exposed /trace.axd and unauthenticated error pages, retrieving sensitive backend traces and error details.
Related CVEs
CVE-2025-54459
CVSS 7.5The Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing remote attackers to obtain live request traces and sensitive information.
Affected Products:
Vertikal Systems Hospital Manager Backend Services – <= 2025-09-19
Exploit Status:
no public exploitCVE-2025-61959
CVSS 5.3The Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration 'customErrors mode="Off"'.
Affected Products:
Vertikal Systems Hospital Manager Backend Services – <= 2025-09-19
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Gather Victim Host Information
Search Open Websites/Domains
Active Scanning
Unsecured Credentials
Account Discovery
Data from Information Repositories
Network Service Scanning
Gather Victim Network Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication and Access Control
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Art. 10(1)
NIS2 Directive – Technical and Organizational Measures – Security of Network and Information Systems
Control ID: Art. 21(2)(d)
CISA ZTMM 2.0 – Access Authentication & Authorization
Control ID: Identity Pillar: IA-2
HIPAA Security Rule – Access Control
Control ID: 164.312(a)(1)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Hospital Manager Backend Services vulnerabilities expose patient data, session identifiers, and internal systems through unauthenticated endpoints, violating HIPAA compliance requirements.
Information Technology/IT
ASP.NET tracing endpoint exposure and verbose error messages create reconnaissance opportunities for attackers targeting healthcare IT infrastructure and backend services.
Government Administration
Critical infrastructure vulnerabilities in healthcare systems pose national security risks, requiring immediate defensive measures and network isolation per CISA recommendations.
Computer Software/Engineering
Framework version disclosure and insecure configuration settings demonstrate software development security gaps affecting ASP.NET applications across multiple deployment environments.
Sources
- Vertikal Systems Hospital Manager Backend Serviceshttps://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-301-01Verified
- Vertikal Systems Product Contact Pagehttps://www.vertikalsystems.com/en/products/pm/contact.phpVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strict egress control, and real-time visibility would have restricted attacker access to unauthenticated endpoints, reduced lateral pivoting opportunities, and detected or blocked unauthorized data exfiltration. CNSF-aligned controls enforce least privilege, policy-driven connectivity, and deep traffic inspection to constrain attack progression.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized inbound web requests to exposed endpoints.
Control: Zero Trust Segmentation
Mitigation: Prevented lateral usage of compromised credentials across segmented services.
Control: East-West Traffic Security
Mitigation: Detected and restricted unauthorized east-west traversal inside the cloud environment.
Control: Threat Detection & Anomaly Response
Mitigation: Alerted and responded to suspicious outbound command and control attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized data transfer to external destinations.
Provided centralized audit and rapid incident investigation.
Impact at a Glance
Affected Business Functions
- Patient Records Management
- Billing Systems
- Appointment Scheduling
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of patient records, including personal and medical information, due to unauthorized access to sensitive system information.
Recommended Actions
Key Takeaways & Next Steps
- • Assess and remediate all externally exposed endpoints lacking strong authentication and minimize public surface area.
- • Enforce Zero Trust segmentation between services using identity- and namespace-based policy controls.
- • Deploy east-west and egress security controls to monitor, limit, and alert on anomalous internal and outbound traffic.
- • Integrate cloud-native firewalling and anomaly detection to rapidly identify and block unauthorized access attempts.
- • Establish centralized visibility and audit for continuous monitoring and speedy incident investigation across all cloud and hybrid assets.
