RCE Vulnerability For Popular Mirth Connect Open Source Healthcare Platform 

Horizon3.ai’s threat researchers have just published NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208).

Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies (a recent survey cited approximately 3,000 organizations). The Horizon3.ai Attack Team findings show that versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability, CVE-2023-43208. 

Naveen Sunkavally, chief architect at Horizon3.ai, said: “This is an easily exploitable, unauthenticated remote code execution vulnerability. CVE-2023-37679 was reported to be fixed in Mirth Connect 4.4.0. In the release notes for 4.4.0, it was reported as only affecting Mirth Connect installs running on Java 8 or below. This caught our attention (why only Java 8?), and we started digging. We found that in fact, all installs of Mirth Connect, regardless of the Java version, were vulnerable. We also found that the patch for CVE-2023-37679 could be bypassed. We subsequently reported a new vulnerability to NextGen, tracked as CVE-2023-43208. The fix for CVE-2023-43208 is in 4.4.1.”

Sunkavally noted that attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data.  He said that while Horizon3.ai is not releasing an exploit at this time, the methods for exploitation (involving Java XStream) are well known and documented. “We have verified that Mirth Connect versions going as far back as 2015/2016 are vulnerable. “On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user” he said.

Sunkavally provided an example of exploiting the vulnerability in his blog post. He recommends that Mirth Connect users will want to upgrade to the latest patch release, which is 4.4.1, as of this writing.


Leave a Reply

%d bloggers like this: