cbcvebase.
CVE-2023-37679
published 2023-08-03

CVE-2023-37679: A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
97.11%
99.9th percentile
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.

Affected

2 ranges
VendorProductVersion rangeFixed in
nextgenmirth_connect< 4.4.14.4.1
nextgenmirth_connect

Detection & IOCsextracted from sources · hover to see the quote

urlGET /api/server/version HTTP/1.1
urlPOST /api/users HTTP/1.1
path/api/server/version
path/api/users
port8080
port8443
otherX-Requested-With: OpenAPI
processjava.exe
processmcserver
filenamemirth.log
sigma
Mirth Connect Java process spawning cmd.exe, powershell.exe, or /bin/bash
  • Detect exploitation attempts by monitoring for POST requests to /api/users with Content-Type: application/xml from unauthenticated sources, combined with HTTP 500 response codes.
  • Identify vulnerable Mirth Connect instances by querying /api/server/version with the X-Requested-With: OpenAPI header and checking if the returned version is less than 4.4.1.
  • Use Shodan or FOFA to discover exposed Mirth Connect administrator portals as potential targets.
  • Monitor Mirth Connect server logs (mirth.log) for com.thoughtworks.xstream.converters.ConversionException or SecurityException errors, which may indicate failed exploitation attempts.
  • Alert on the Mirth Connect Java process (java.exe or mcserver) spawning child processes such as cmd.exe, powershell.exe, or /bin/bash as a sign of successful RCE.
  • Monitor for unexpected outbound network connections from the Mirth Connect server, especially to unknown external IPs or on C2-associated ports.
  • The exploit targets the XmlMessageBodyReader class which processes incoming XML requests before authentication is checked — flag any unauthenticated XML POST to API endpoints.
  • Look for InvokerTransformer class references from Apache Commons Collections in XML payloads sent to Mirth Connect API endpoints, as this is the bypass gadget chain used to circumvent the original CVE-2023-37679 patch.
  • ·The original CVE-2023-37679 patch used a denylist approach (blocking specific classes like ProcessBuilder), which was bypassed. Detection rules based solely on blocking ProcessBuilder class names in XML payloads will not catch CVE-2023-43208 exploitation using InvokerTransformer chains.
  • ·Successful exploitation may leave minimal log traces; log-based detection is most useful for catching failed attempts, not confirmed compromises.
  • ·The Metasploit module was tested on versions 4.1.1, 4.3.0, and 4.4.0; detection and testing coverage should include these specific versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.