{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/oviva/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["epa4all-client (\u003c 1.2.2)"],"_cs_severities":["high"],"_cs_tags":["cve","mitm","credential-access"],"_cs_type":"advisory","_cs_vendors":["Oviva"],"content_html":"\u003cp\u003eThe \u003ccode\u003eepa4all-client\u003c/code\u003e is vulnerable to a man-in-the-middle (MITM) attack (CVE-2026-45575) due to improper verification of cryptographic signatures. An attacker positioned within the TI network, capable of intercepting and modifying TLS traffic between the client and the Identity Provider (IDP), can substitute the legitimate discovery document with a forged one. This forged document redirects the \u003ccode\u003euri_puk_idp_enc\u003c/code\u003e and \u003ccode\u003euri_puk_idp_sig\u003c/code\u003e parameters to attacker-controlled URLs. This vulnerability affects versions of \u003ccode\u003ecom.oviva.telematik:epa4all-client\u003c/code\u003e prior to 1.2.2. Successful exploitation allows the attacker to steal the SMC-B-signed challenge response, enabling unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker performs a MITM attack on the TLS connection between the \u003ccode\u003eepa4all-client\u003c/code\u003e and the IDP within the TI network.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the legitimate discovery document transmitted from the IDP to the client.\u003c/li\u003e\n\u003cli\u003eThe attacker substitutes the legitimate discovery document with a forged document crafted to redirect traffic to attacker-controlled endpoints.\u003c/li\u003e\n\u003cli\u003eThe forged discovery document redirects \u003ccode\u003euri_puk_idp_enc\u003c/code\u003e and \u003ccode\u003euri_puk_idp_sig\u003c/code\u003e to attacker-controlled URLs.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eepa4all-client\u003c/code\u003e, trusting the forged document, encrypts the SMC-B-signed challenge response using the attacker\u0026rsquo;s encryption key.\u003c/li\u003e\n\u003cli\u003eThe client then POSTs the encrypted, signed authentication material to the attacker\u0026rsquo;s designated authentication endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the signed authentication material from the POST request.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured authentication material to gain unauthorized access to protected resources or impersonate the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45575 allows an attacker to capture the SMC-B-signed challenge response, enabling unauthorized access to sensitive healthcare data or services within the Telematikinfrastruktur (TI) network. This could lead to data breaches, compliance violations, and potential misuse of patient information. The vulnerability impacts all deployments of \u003ccode\u003ecom.oviva.telematik:epa4all-client\u003c/code\u003e versions prior to 1.2.2 within the TI network where a MITM attack is feasible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecom.oviva.telematik:epa4all-client\u003c/code\u003e to version 1.2.2 or later to incorporate the fix for CVE-2026-45575.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious TLS traffic patterns indicative of MITM attacks within the TI network.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for connections to unusual or unexpected external URLs as a result of a forged discovery document.\u003c/li\u003e\n\u003cli\u003eImplement the network connection rule to monitor for connections to external IP addresses or domains, as this could indicate a forged discovery document has been used.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:32:08Z","date_published":"2026-05-15T18:32:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-epa4all-client-mitm/","summary":"A man-in-the-middle attacker within the TI network can exploit CVE-2026-45575 in com.oviva.telematik:epa4all-client versions prior to 1.2.2 to substitute a forged discovery document and capture signed authentication material.","title":"epa4all-client Improper Verification of Cryptographic Signature Vulnerability (CVE-2026-45575)","url":"https://feed.craftedsignal.io/briefs/2026-05-epa4all-client-mitm/"}],"language":"en","title":"CraftedSignal Threat Feed — Oviva","version":"https://jsonfeed.org/version/1.1"}