High
CVE-2023-43208
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2023-43208
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
CVE-2023-43208 is a significant security vulnerability in NextGen Healthcare’s Mirth Connect, a widely used open-source data integration platform in the healthcare sector. This vulnerability, identified as an unauthenticated remote code execution (RCE) issue, was addressed in Mirth Connect version 4.4.1, released on October 6, 2023.
The vulnerability is especially critical because it stems from an incomplete patch of a previous vulnerability, CVE-2023-37679. This previous issue was a similar RCE vulnerability, supposedly patched in Mirth Connect version 4.4.0. However, CVE-2023-43208 emerged due to the inadequate resolution of CVE-2023-37679, making it a patch bypass issue.
The technical specifics of CVE-2023-43208 relate to the insecure use of the Java XStream library for unmarshalling XML payloads. The vulnerability affects versions of Mirth Connect before 4.4.1 and is particularly alarming due to the ease of exploitation. Attackers could exploit this vulnerability for initial access or to compromise sensitive healthcare data.
The CVSS (Common Vulnerability Scoring System) score for CVE-2023-43208 is 9.8, categorizing it as a critical vulnerability.
In terms of available proofs of concept (PoCs) for exploiting this vulnerability, a POC script was included in Horizon’s write-up of this vulnerability: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/
Given the severity and ease of exploitation of CVE-2023-43208, it is strongly recommended for organizations using Mirth Connect to update to version 4.4.1 or later to mitigate the risks associated with this vulnerability. The critical nature of this vulnerability, combined with the sensitive environments in which Mirth Connect is typically deployed, underscores the importance of prompt and thorough patching efforts.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueMedium
Technical Analysis
Knocking down attacker value a bit because there appear to be only a few hundred of these exposed and vulnerable, and perhaps surprisingly, it’s been a few months since full details were released and there’s still no known exploitation. Unclear how common the engine is in real-world environments from talking to offensive security folks focused on healthcare. I think it’s fair to balance rightful sensitivity about anything that could compromise healthcare systems with some skepticism about the particular target in this case. If we see IRL exploitation, I’m happy to eat those words :)
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- nextgen
Products
- mirth connect
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/05/20/cisa-adds-two-known-exploited-vulnerabilities-catalog)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: