PatchSiren cyber security CVE debrief
CVE-2025-54459 Vertikal Systems CVE debrief
CVE-2025-54459 covers an unauthenticated exposure of the ASP.NET tracing endpoint /trace.axd in Vertikal Systems Hospital Manager Backend Services. The issue could let a remote attacker view live request traces and sensitive information, including request metadata, session identifiers, authorization headers, server variables, and internal file paths. Vertikal Systems reported the issue was fixed by September 19, 2025, before the public advisory was published on October 28, 2025.
- Vendor
- Vertikal Systems
- Product
- Hospital Manager Backend Services
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-10-28
- Original CVE updated
- 2025-10-28
- Advisory published
- 2025-10-28
- Advisory updated
- 2025-10-28
Who should care
Organizations running Vertikal Systems Hospital Manager Backend Services, especially administrators responsible for internet-facing ASP.NET deployments, web platform hardening, and incident response for possible exposure of session or authorization data.
Technical summary
According to the CISA CSAF advisory, /trace.axd was exposed without authentication prior to September 19, 2025. Because the endpoint can reveal live request traces, the impact is confidentiality-focused and remote: an attacker with network access could retrieve sensitive request and server details without needing credentials or user interaction. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which aligns with high confidentiality impact and no direct integrity or availability impact in the advisory.
Defensive priority
High. Treat as a credential- and metadata-exposure issue: confirm the vendor fix is deployed, ensure tracing endpoints are not exposed externally, and review whether any sensitive values were captured in traces before remediation.
Recommended defensive actions
- Verify that all Hospital Manager Backend Services instances are updated with the vendor fix reported as available by September 19, 2025.
- Ensure /trace.axd and related ASP.NET tracing features are not reachable from untrusted networks or the public internet.
- Review web server and application logs for evidence that traces, session identifiers, authorization headers, or other sensitive values may have been exposed.
- Rotate or invalidate credentials, session tokens, or other secrets if trace exposure is suspected.
- Contact Vertikal Systems support for product-specific remediation guidance and validation steps.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSMA-25-301-01 for Vertikal Systems Hospital Manager Backend Services. The advisory states that, prior to September 19, 2025, /trace.axd was exposed without authentication and could reveal live request traces plus sensitive data such as request metadata, session identifiers, authorization headers, server variables, and internal file paths. The advisory also states that Vertikal Systems fixed the issue by September 19, 2025. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5). The supplied enrichment marks this as not in CISA KEV.
Official resources
-
CVE-2025-54459 CVE record
CVE.org
-
CVE-2025-54459 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory and CVE record were published on 2025-10-28. The source advisory states Vertikal Systems fixed the issue by 2025-09-19, so the remediation predates public disclosure.