CryptographicCVSS 7.4high
9 min read
The Service That Trusted Every Certificate
During a security assessment of an election management platform, a backend integration service was found to accept any TLS certificate during HTTPS connections to external endpoints — regardless of validity, expiry, or hostname match. The result was complete exposure to man-in-the-middle interception on traffic the platform considered encrypted and authenticated.
Read case