The vulnerability arises from disabled TLS certificate validation in the epa4all‑client Java application. When an attacker controls the network path between the ePA service and the Konnektor, they can present any TLS certificate—self‑signed, expired, or with an incorrect common name—and intercept all SOAP traffic. The consequence is the exposure of sensitive patient identifiers, SMC‑B card authentication and signing operations, document contents, and credential exchanges, violating confidentiality and potentially allowing further misuse of the captured data.

The issue affects the epa4all‑client Java client used for ePA 3.0 in the Telematik Infrastruktur. Versions prior to 1.2.2 of the client released by com.oviva.telematik and oviva‑ag contain the flaw. Any deployment of these older releases is susceptible.

The CVSS score of 8.1 highlights a severe risk, and although the EPSS score is not available, the lack of a mitigated configuration means that a network‑level attacker can exploit the flaw without sophisticated prerequisites. The vulnerability is not listed in the CISA KEV catalog, but its impact on personal health information warrants immediate attention. The likely attack vector is a network‑based man‑in‑the‑middle between the ePA service and the Konnektor, as inferred from the description.