All Advisories

secon-tool

Signature Verification Bypass via Unsigned CMS Message

secon-tool verifies the signature on an inbound CMS SignedData by iterating over the signers the message carries, but it does not require that at least one signer be present. A content-bearing message whose signer set is empty passes verification without error and is delivered as if a trusted sender had signed it. An attacker who knows the recipient's public encryption certificate, which is published in the GKV directory and is not a secret, can therefore have unsigned, attacker-chosen content accepted as a verified message; no private key and no enrolled sender identity are required.

This advisory contains limited information during coordinated disclosure. Please check back later for full details.

Authored byVolker Schönefeld, Simon Weber2026-07-15
SeverityHighCVSS 7.5CVSS 3.1 VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NCWECWE-347 (Improper Verification of Cryptographic Signature)Productsecon-toolAffected VersionsAll released versions up to and including 1.2.1.Fixed In1.2.2CVECVE-2026-62358GHSAGHSA-2c7x-4vwq-c58v

Description

secon-tool is the open-source reference implementation of the GKV SECON security interface (Anlage 16), which signs and encrypts message exchange across the German statutory health insurance system. We appreciate the project's work on a clean, auditable foundation for this interface. We reported this finding privately to Techniker Krankenkasse in June 2026; they responded constructively and released a fix.

The fix requires message verification to find at least one signer and rejects a SignedData whose signer set is empty, restoring the mandatory "at least one signer" requirement of Anlage 16 §3.1. This is a coordinated disclosure; the full technical writeup follows once the remediation window closes.

Impact

  • The recipient, a Krankenkasse or Leistungserbringer processing inbound SECON traffic, acts on arbitrary billing, membership, or DiGA content it treats as authenticated, though no legitimate signed sender produced it. Where the GKV transport gates submission behind sender enrollment, that transport layer authenticates delivery and narrows exposure to enrolled participants; the library-level defect is unchanged either way.

Mitigation

Upgrade to secon-tool 1.2.2 or later, which rejects an inbound SignedData that carries no signer. Until upgraded, operators can reduce exposure by rejecting inbound CMS messages whose SignedData has an empty signer set before passing them to secon-tool, and by confirming sender identity at the transport layer where the GKV exchange provides it.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.