CVE-2023-37679
published 2023-08-03CVE-2023-37679: A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
97.11%
99.9th percentile
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextgen | mirth_connect | < 4.4.1 | 4.4.1 |
| nextgen | mirth_connect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Mirth Connect Java process spawning cmd.exe, powershell.exe, or /bin/bash
- →Detect exploitation attempts by monitoring for POST requests to /api/users with Content-Type: application/xml from unauthenticated sources, combined with HTTP 500 response codes. ↗
- →Identify vulnerable Mirth Connect instances by querying /api/server/version with the X-Requested-With: OpenAPI header and checking if the returned version is less than 4.4.1. ↗
- →Use Shodan or FOFA to discover exposed Mirth Connect administrator portals as potential targets. ↗
- →Monitor Mirth Connect server logs (mirth.log) for com.thoughtworks.xstream.converters.ConversionException or SecurityException errors, which may indicate failed exploitation attempts. ↗
- →Alert on the Mirth Connect Java process (java.exe or mcserver) spawning child processes such as cmd.exe, powershell.exe, or /bin/bash as a sign of successful RCE. ↗
- →Monitor for unexpected outbound network connections from the Mirth Connect server, especially to unknown external IPs or on C2-associated ports. ↗
- →The exploit targets the XmlMessageBodyReader class which processes incoming XML requests before authentication is checked — flag any unauthenticated XML POST to API endpoints. ↗
- →Look for InvokerTransformer class references from Apache Commons Collections in XML payloads sent to Mirth Connect API endpoints, as this is the bypass gadget chain used to circumvent the original CVE-2023-37679 patch. ↗
- ·The original CVE-2023-37679 patch used a denylist approach (blocking specific classes like ProcessBuilder), which was bypassed. Detection rules based solely on blocking ProcessBuilder class names in XML payloads will not catch CVE-2023-43208 exploitation using InvokerTransformer chains. ↗
- ·Successful exploitation may leave minimal log traces; log-based detection is most useful for catching failed attempts, not confirmed compromises. ↗
- ·The Metasploit module was tested on versions 4.1.1, 4.3.0, and 4.4.0; detection and testing coverage should include these specific versions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pj5c-qr29-6746: NextGen Healthcare Mirth Connect before version 4
ghsa_unreviewed·2023-10-26·CVSS 9.8
CVE-2023-43208 [CRITICAL] CWE-502 GHSA-pj5c-qr29-6746: NextGen Healthcare Mirth Connect before version 4
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
GHSA
GHSA-h9hg-9m55-82qp: A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4
ghsa_unreviewed·2023-08-03
CVE-2023-37679 [CRITICAL] CWE-77 GHSA-h9hg-9m55-82qp: A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
VulnCheck
nextgen mirth_connect Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-37679 [CRITICAL] nextgen mirth_connect Improper Neutralization of Special Elements used in a Command ('Command Injection')
nextgen mirth_connect Improper Neutralization of Special Elements used in a Command ('Command Injection')
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
Affected: nextgen mirth_connect
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/MsftSecIntel/status/1781353319341928668; https://censys.com/cve-2023-43208/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-05-25&host_type=src&vulnerability=cve-2023-37679; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabili
No detection rules found.
Metasploit
Mirth Connect Deserialization RCE
metasploit·CVSS 9.8
CVE-2023-37679 [CRITICAL] Mirth Connect Deserialization RCE
Mirth Connect Deserialization RCE
A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the target application. The original vulnerability was identified by IHTeam and assigned CVE-2023-37679. Later, researchers from Horizon3.ai determined the patch to be incomplete and published a gadget chain which bypassed the deny list that the original had implemented. This second vulnerability was assigned CVE-2023-43208 and was patched in Mirth Connect version 4.4.1. This module has been tested on versions 4.1.1, 4.3.0 and 4.4.0.
Nuclei
NextGen Mirth Connect - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-37679 [CRITICAL] NextGen Mirth Connect - Remote Code Execution
NextGen Mirth Connect - Remote Code Execution
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
Template:
id: CVE-2023-37679
info:
name: NextGen Mirth Connect - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
impact: |
Unauthenticated attackers can exploit XML deserialization vulnerabilities to execute arbitrary code on the Mirth Connect server, potentially compro
Huntress
CVE-2023-43208 (Mirth Connect RCE) Vulnerability: Analysis & Detection | Huntress
blogs_huntress·CVSS 9.8
CVE-2023-43208 [CRITICAL] CVE-2023-43208 (Mirth Connect RCE) Vulnerability: Analysis & Detection | Huntress
CVE-2023-43208 Vulnerability
Published: 02/20/2026
Written by: Nadine Rozell
CVEs are Common Vulnerabilities and Exposures - unique identifiers assigned to publicly known cybersecurity vulnerabilities.
CVE-2023-43208 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting NextGen Healthcare Mirth Connect , a data integration platform widely used in the healthcare sector to process patient records (HL7, XML, etc.).
This page details how this Java deserialization flaw works, why the original patch failed, and how to secure your environment against it.
## What is CVE-2023-43208 vulnerability?
CVE-2023-43208 is an insecure deserialization vulnerability within the Mirth Connect API.
It allows an unauthenticated attacker to send a specially crafted XML payload t
Greynoiseio
NoiseLetter January 2024
blogs_greynoiseio
NoiseLetter January 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://mirth.comhttp://nextgen.comhttp://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.htmlhttps://www.ihteam.net/advisory/mirth-connecthttp://mirth.comhttp://nextgen.comhttp://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.htmlhttps://www.ihteam.net/advisory/mirth-connect
2023-08-03
Published
Exploited in the wild