https://feed.craftedsignal.io/products/epa4all-client--1.2.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 15 May 2026 18:32:08 +0000https://feed.craftedsignal.io/briefs/2026-05-epa4all-client-mitm/Fri, 15 May 2026 18:32:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-epa4all-client-mitm/A man-in-the-middle attacker within the TI network can exploit CVE-2026-45575 in com.oviva.telematik:epa4all-client versions prior to 1.2.2 to substitute a forged discovery document and capture signed authentication material.The epa4all-client is vulnerable to a man-in-the-middle (MITM) attack (CVE-2026-45575) due to improper verification of cryptographic signatures. An attacker positioned within the TI network, capable of intercepting and modifying TLS traffic between the client and the Identity Provider (IDP), can substitute the legitimate discovery document with a forged one. This forged document redirects the uri_puk_idp_enc and uri_puk_idp_sig parameters to attacker-controlled URLs. This vulnerability affects versions of com.oviva.telematik:epa4all-client prior to 1.2.2. Successful exploitation allows the attacker to steal the SMC-B-signed challenge response, enabling unauthorized access.

Attack Chain

1. The attacker performs a MITM attack on the TLS connection between the epa4all-client and the IDP within the TI network.
2. The attacker intercepts the legitimate discovery document transmitted from the IDP to the client.
3. The attacker substitutes the legitimate discovery document with a forged document crafted to redirect traffic to attacker-controlled endpoints.
4. The forged discovery document redirects uri_puk_idp_enc and uri_puk_idp_sig to attacker-controlled URLs.
5. The epa4all-client, trusting the forged document, encrypts the SMC-B-signed challenge response using the attacker’s encryption key.
6. The client then POSTs the encrypted, signed authentication material to the attacker’s designated authentication endpoint.
7. The attacker captures the signed authentication material from the POST request.
8. The attacker uses the captured authentication material to gain unauthorized access to protected resources or impersonate the user.

Impact

Successful exploitation of CVE-2026-45575 allows an attacker to capture the SMC-B-signed challenge response, enabling unauthorized access to sensitive healthcare data or services within the Telematikinfrastruktur (TI) network. This could lead to data breaches, compliance violations, and potential misuse of patient information. The vulnerability impacts all deployments of com.oviva.telematik:epa4all-client versions prior to 1.2.2 within the TI network where a MITM attack is feasible.

Recommendation

• Upgrade com.oviva.telematik:epa4all-client to version 1.2.2 or later to incorporate the fix for CVE-2026-45575.
• Implement network monitoring to detect suspicious TLS traffic patterns indicative of MITM attacks within the TI network.
• Monitor network connections for connections to unusual or unexpected external URLs as a result of a forged discovery document.
• Implement the network connection rule to monitor for connections to external IP addresses or domains, as this could indicate a forged discovery document has been used.

]]>highadvisorycvemitmcredential-accesshttps://feed.craftedsignal.io/briefs/2026-05-epa4all-client-tls-validation/Fri, 15 May 2026 18:29:54 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-epa4all-client-tls-validation/The epa4all-client library before version 1.2.2 is vulnerable to a TLS certificate validation issue, allowing a man-in-the-middle attacker to intercept SOAP traffic and sensitive patient data by presenting a malicious TLS certificate.The epa4all-client library, used for electronic patient record (ePA) interactions, contains a flaw that disables TLS certificate validation in production environments. This vulnerability, present in versions prior to 1.2.2, allows an attacker positioned on the network path between the ePA service and the Konnektor to intercept all SOAP traffic. This includes sensitive information such as patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. The vulnerability is identified as CVE-2026-45574 and was reported by Machine Spirits. Exploitation of this flaw allows for significant data breaches and unauthorized access to patient information.

Attack Chain

1. An attacker positions themselves on the network path between the ePA client (using the vulnerable library) and the ePA service/Konnektor.
2. The ePA client attempts to establish a TLS connection to the ePA service.
3. The attacker intercepts the TLS handshake and presents a malicious TLS certificate (self-signed, expired, or with a wrong CN).
4. Due to the disabled TLS certificate validation in the vulnerable epa4all-client library, the client accepts the malicious certificate without proper verification.
5. A secure TLS connection is established between the ePA client and the attacker, who is impersonating the legitimate ePA service.
6. The ePA client sends SOAP requests containing sensitive data (patient identifiers, SMC-B card operations, document content, and credentials) over the TLS connection.
7. The attacker intercepts and decrypts the SOAP traffic, gaining access to the sensitive data.
8. The attacker can then use the stolen data for malicious purposes, such as identity theft, fraud, or unauthorized access to patient records.

Impact

Successful exploitation of this vulnerability allows an attacker to intercept and steal sensitive patient data transmitted between the ePA client and the ePA service. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. A successful attack could lead to large-scale data breaches, identity theft, and unauthorized access to confidential patient records, impacting potentially thousands of patients and healthcare providers using the vulnerable epa4all-client library.

Recommendation

• Upgrade the epa4all-client library to version 1.2.2 or later to remediate the TLS certificate validation vulnerability (CVE-2026-45574).
• As a workaround, use the library directly instead of the REST wrapper as suggested in the advisory.
• Monitor network traffic for unexpected TLS connections originating from applications using the epa4all-client library, using the rules below, especially if connections use non-standard certificates.

]]>mediumadvisorytlscertificate-validationmitmcredential-accesscve-2026-45574