CVE-2025-67752
Received Received - Intake
SSL/TLS Verification Bypass in OpenEMR HTTP Client Enables MITM

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (`oeHttp`/`oeHttpRequest`) disables SSL/TLS certificate verification by default (`verify: false`), making all external HTTPS connections vulnerable to man-in-the-middle (MITM) attacks. This affects communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI). Version 7.0.4 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67752
EUVD
EUVD-2025-208104
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67752 is a vulnerability in OpenEMR, an open source electronic health records application, where the HTTP client wrappers disable SSL/TLS certificate verification by default prior to version 7.0.4.

This means that when OpenEMR makes HTTPS connections to external services, it does not verify the authenticity of the SSL certificates, making these connections vulnerable to man-in-the-middle (MITM) attacks.

Attackers could intercept, read, or modify sensitive data transmitted over these connections, including Protected Health Information (PHI).

The vulnerability affects communication with government healthcare APIs and user-configurable external services.

Version 7.0.4 of OpenEMR fixes this issue by enabling SSL certificate verification by default and providing configuration options for custom certificate authorities.

Impact Analysis

This vulnerability can have severe impacts by exposing sensitive healthcare data to interception and manipulation.

  • Attackers can perform man-in-the-middle attacks to intercept HTTPS communications between OpenEMR and external services.
  • Exposed data can include Protected Health Information (PHI) such as patient medications, drug interactions, pharmacy locations, medical device identifiers, patient assessments, and OAuth tokens.
  • Attack vectors include compromised network devices, DNS spoofing, and database compromise leading to malicious URL injections.
  • The vulnerability can lead to loss of confidentiality, integrity, and availability of sensitive healthcare data.

Overall, this poses significant risks to patient privacy, data integrity, and the security of healthcare operations.

Compliance Impact

This vulnerability violates HIPAA Security Rule Β§164.312(e)(1), which requires transmission security to protect electronic Protected Health Information (ePHI).

Disabling SSL/TLS certificate verification allows insecure transmission channels vulnerable to interception, which is non-compliant with HIPAA requirements.

The fix in OpenEMR version 7.0.4 enforces SSL verification by default to maintain HIPAA compliance.

While GDPR is not explicitly mentioned, exposing personal health data through insecure communications could also violate GDPR principles of data protection and security.

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by verifying whether OpenEMR's HTTP client wrappers are disabling SSL/TLS certificate verification by default. Specifically, check if the HTTP requests made via cURL or GuzzleHttp clients have SSL verification disabled (`verify: false`)."}, {'type': 'paragraph', 'content': 'You can monitor outbound HTTPS connections for unexpected destinations and audit database globals for unauthorized URL changes that might indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Additionally, use test scripts or tools to verify SSL verification status by attempting connections to sites with expired, wrong hostname, self-signed, or untrusted root certificates. If connections succeed despite invalid certificates, the system is vulnerable.'}, {'type': 'list_item', 'content': 'Use tools like testssl.sh or SSLLabs to test SSL verification behavior.'}, {'type': 'list_item', 'content': 'Run curl commands with verbose output to check SSL verification, for example: `curl -v https://example.com` and observe if SSL errors are ignored.'}, {'type': 'list_item', 'content': 'Audit OpenEMR configuration and code for the presence of `verify: false` in HTTP client options.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade OpenEMR to version 7.0.4 or later, where SSL certificate verification is enabled by default for all HTTP client requests.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, configure the environment variable `OPENEMR_SETTING_http_verify_ssl` to `true` to enforce SSL verification.'}, {'type': 'paragraph', 'content': 'For environments using self-signed certificates, generate a CA certificate, sign internal server certificates, mount the CA certificate inside the container or server, and set `OPENEMR_SETTING_http_ca_cert` to the CA certificate path to enable proper verification.'}, {'type': 'paragraph', 'content': 'Audit and monitor outbound HTTPS connections and database globals to detect unauthorized changes or suspicious activity.'}, {'type': 'paragraph', 'content': "Obtain and use valid SSL certificates (e.g., via Let's Encrypt) for all external and internal services to maintain HIPAA compliance and secure communications."}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67752. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart