Machine Spirits Logo
All Advisories

med-united epa4all

TLS Certificate Verification Disabled

The application disables TLS certificate verification on its outbound connections. An attacker on the network path between epa4all and its backends — the ePA Aktensystem, the IDP, or the Konnektor — can present any certificate, including a self-signed one, and intercept the traffic.

This advisory contains limited information during coordinated disclosure. Please check back later for full details.

Authored byChiara Fliegner, Volker Schönefeld, Simon Weber2026-05-20
SeverityHighCVSS 8.1CVSS 3.1 VectorAV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NCWECWE-295 (Improper Certificate Validation)Productmed-united epa4allAffected Versions1.0.0-SNAPSHOT (all builds prior to the 2026-05-20 fix)Fixed InPatched on 2026-05-20 (adds hostname and certificate checks and a keystore based on the Telematik TSL).GHSAGHSA-vvh7-x6c7-46gh

Description

Per the vendor's advisory, the application initialises its TLS stack with certificate verification disabled, accepting any server certificate on its outbound connections.

An attacker on the network path between epa4all and the ePA backend can present any certificate — self-signed, expired, or with the wrong host name — terminate the TLS connection, and relay the traffic. In the product's deployment model (an on-premise container in a doctor's practice) the attacker is any device on the clinical network.

Impact

  • A network attacker between epa4all and its backends can intercept and modify the outbound traffic, including patient identifiers, document content, and credential exchanges. Combined with the missing VAU server verification, the ePA backend is not authenticated at either the transport or the application layer.

Mitigation

Update to a build dated 2026-05-20 or later, which restores certificate and hostname verification and pins the gematik TI PKI via a Telematik-TSL-based keystore. No workaround exists for affected builds.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services