cbcvebase.
CVE-2023-43208
published 2023-10-26

CVE-2023-43208: NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-06-10
Exploited in the wild
EPSS
82.71%
99.6th percentile
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.

Affected

1 ranges
VendorProductVersion rangeFixed in
nextgenmirth_connect< 4.4.14.4.1

Detection & IOCsextracted from sources · hover to see the quote

urlGET /api/server/version HTTP/1.1
urlPOST /api/users HTTP/1.1
path/api/server/version
path/api/users
port8080
port8443
commandnslookup {{interactsh-url}}
otherX-Requested-With: OpenAPI
processjava.exe
processmcserver
processcmd.exe
processpowershell.exe
process/bin/bash
sigma
matchers: type: dsl dsl: - 'compare_versions(version, "<4.4.1")' - 'contains(interactsh_protocol, "dns")' - 'status_code_1 == 200 && status_code_2 == 500' condition: and
  • Detect exploitation attempts by monitoring for POST requests to /api/users with Content-Type: application/xml from unauthenticated sources, combined with HTTP 500 response codes.
  • Monitor Mirth Connect server logs (mirth.log) for com.thoughtworks.xstream.converters.ConversionException or SecurityException errors, which may indicate failed exploitation attempts.
  • Alert on the Mirth Connect Java process (java.exe or mcserver) spawning child processes such as cmd.exe, powershell.exe, or /bin/bash, which indicates successful RCE.
  • Use Shodan/FOFA queries to identify exposed Mirth Connect instances: Shodan: title:"mirth connect administrator"; FOFA: title="mirth connect administrator".
  • Version check: send GET /api/server/version with header X-Requested-With: OpenAPI; a response version lower than 4.4.1 indicates a vulnerable instance.
  • The exploit payload uses the InvokerTransformer gadget chain from Apache Commons Collections to bypass the XStream denylist; detect XML bodies referencing java.lang.Runtime, getRuntime, exec, or InvokerTransformer in requests to Mirth Connect API endpoints.
  • The Nuclei PoC template confirms vulnerability by checking: HTTP 200 on version endpoint, HTTP 500 on POST /api/users with XML payload, and DNS callback interaction — use all three conditions together to reduce false positives.
  • Monitor for unexpected outbound network connections from the Mirth Connect server, particularly to unknown external IPs on ports 80, 443, and 445, which may indicate C2 activity post-exploitation.
  • ·The vulnerability is exploitable pre-authentication because XmlMessageBodyReader processes incoming XML requests before any authentication check is performed.
  • ·CVE-2023-43208 is a patch bypass of CVE-2023-37679; the original fix used a denylist approach (blocking ProcessBuilder) which was insufficient — the fix in 4.4.1 uses an allowlist instead.
  • ·The Metasploit module was tested specifically against Mirth Connect versions 4.1.1, 4.3.0, and 4.4.0; other versions prior to 4.4.1 may also be affected.
  • ·The exploit is described as highly reliable because it targets the fundamental data-handling mechanism, not a specific configuration, meaning no special server configuration is required for exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.