{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/epa4all-client--1.2.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["epa4all-client (\u003c 1.2.2)"],"_cs_severities":["high"],"_cs_tags":["cve","mitm","credential-access"],"_cs_type":"advisory","_cs_vendors":["Oviva"],"content_html":"\u003cp\u003eThe \u003ccode\u003eepa4all-client\u003c/code\u003e is vulnerable to a man-in-the-middle (MITM) attack (CVE-2026-45575) due to improper verification of cryptographic signatures. An attacker positioned within the TI network, capable of intercepting and modifying TLS traffic between the client and the Identity Provider (IDP), can substitute the legitimate discovery document with a forged one. This forged document redirects the \u003ccode\u003euri_puk_idp_enc\u003c/code\u003e and \u003ccode\u003euri_puk_idp_sig\u003c/code\u003e parameters to attacker-controlled URLs. This vulnerability affects versions of \u003ccode\u003ecom.oviva.telematik:epa4all-client\u003c/code\u003e prior to 1.2.2. Successful exploitation allows the attacker to steal the SMC-B-signed challenge response, enabling unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker performs a MITM attack on the TLS connection between the \u003ccode\u003eepa4all-client\u003c/code\u003e and the IDP within the TI network.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the legitimate discovery document transmitted from the IDP to the client.\u003c/li\u003e\n\u003cli\u003eThe attacker substitutes the legitimate discovery document with a forged document crafted to redirect traffic to attacker-controlled endpoints.\u003c/li\u003e\n\u003cli\u003eThe forged discovery document redirects \u003ccode\u003euri_puk_idp_enc\u003c/code\u003e and \u003ccode\u003euri_puk_idp_sig\u003c/code\u003e to attacker-controlled URLs.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eepa4all-client\u003c/code\u003e, trusting the forged document, encrypts the SMC-B-signed challenge response using the attacker\u0026rsquo;s encryption key.\u003c/li\u003e\n\u003cli\u003eThe client then POSTs the encrypted, signed authentication material to the attacker\u0026rsquo;s designated authentication endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the signed authentication material from the POST request.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured authentication material to gain unauthorized access to protected resources or impersonate the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45575 allows an attacker to capture the SMC-B-signed challenge response, enabling unauthorized access to sensitive healthcare data or services within the Telematikinfrastruktur (TI) network. This could lead to data breaches, compliance violations, and potential misuse of patient information. The vulnerability impacts all deployments of \u003ccode\u003ecom.oviva.telematik:epa4all-client\u003c/code\u003e versions prior to 1.2.2 within the TI network where a MITM attack is feasible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecom.oviva.telematik:epa4all-client\u003c/code\u003e to version 1.2.2 or later to incorporate the fix for CVE-2026-45575.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious TLS traffic patterns indicative of MITM attacks within the TI network.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for connections to unusual or unexpected external URLs as a result of a forged discovery document.\u003c/li\u003e\n\u003cli\u003eImplement the network connection rule to monitor for connections to external IP addresses or domains, as this could indicate a forged discovery document has been used.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:32:08Z","date_published":"2026-05-15T18:32:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-epa4all-client-mitm/","summary":"A man-in-the-middle attacker within the TI network can exploit CVE-2026-45575 in com.oviva.telematik:epa4all-client versions prior to 1.2.2 to substitute a forged discovery document and capture signed authentication material.","title":"epa4all-client Improper Verification of Cryptographic Signature Vulnerability (CVE-2026-45575)","url":"https://feed.craftedsignal.io/briefs/2026-05-epa4all-client-mitm/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["epa4all-client (\u003c 1.2.2)"],"_cs_severities":["medium"],"_cs_tags":["tls","certificate-validation","mitm","credential-access","cve-2026-45574"],"_cs_type":"advisory","_cs_vendors":["Oviva AG"],"content_html":"\u003cp\u003eThe \u003ccode\u003eepa4all-client\u003c/code\u003e library, used for electronic patient record (ePA) interactions, contains a flaw that disables TLS certificate validation in production environments. This vulnerability, present in versions prior to 1.2.2, allows an attacker positioned on the network path between the ePA service and the Konnektor to intercept all SOAP traffic. This includes sensitive information such as patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. The vulnerability is identified as CVE-2026-45574 and was reported by Machine Spirits. Exploitation of this flaw allows for significant data breaches and unauthorized access to patient information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker positions themselves on the network path between the ePA client (using the vulnerable library) and the ePA service/Konnektor.\u003c/li\u003e\n\u003cli\u003eThe ePA client attempts to establish a TLS connection to the ePA service.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the TLS handshake and presents a malicious TLS certificate (self-signed, expired, or with a wrong CN).\u003c/li\u003e\n\u003cli\u003eDue to the disabled TLS certificate validation in the vulnerable \u003ccode\u003eepa4all-client\u003c/code\u003e library, the client accepts the malicious certificate without proper verification.\u003c/li\u003e\n\u003cli\u003eA secure TLS connection is established between the ePA client and the attacker, who is impersonating the legitimate ePA service.\u003c/li\u003e\n\u003cli\u003eThe ePA client sends SOAP requests containing sensitive data (patient identifiers, SMC-B card operations, document content, and credentials) over the TLS connection.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts and decrypts the SOAP traffic, gaining access to the sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the stolen data for malicious purposes, such as identity theft, fraud, or unauthorized access to patient records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to intercept and steal sensitive patient data transmitted between the ePA client and the ePA service. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. A successful attack could lead to large-scale data breaches, identity theft, and unauthorized access to confidential patient records, impacting potentially thousands of patients and healthcare providers using the vulnerable \u003ccode\u003eepa4all-client\u003c/code\u003e library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eepa4all-client\u003c/code\u003e library to version 1.2.2 or later to remediate the TLS certificate validation vulnerability (CVE-2026-45574).\u003c/li\u003e\n\u003cli\u003eAs a workaround, use the library directly instead of the REST wrapper as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected TLS connections originating from applications using the \u003ccode\u003eepa4all-client\u003c/code\u003e library, using the rules below, especially if connections use non-standard certificates.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:29:54Z","date_published":"2026-05-15T18:29:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-epa4all-client-tls-validation/","summary":"The epa4all-client library before version 1.2.2 is vulnerable to a TLS certificate validation issue, allowing a man-in-the-middle attacker to intercept SOAP traffic and sensitive patient data by presenting a malicious TLS certificate.","title":"epa4all-client Library Vulnerable to TLS Certificate Validation Issue (CVE-2026-45574)","url":"https://feed.craftedsignal.io/briefs/2026-05-epa4all-client-tls-validation/"}],"language":"en","title":"CraftedSignal Threat Feed — Epa4all-Client (\u003c 1.2.2)","version":"https://jsonfeed.org/version/1.1"}