CVE-2023-43208
published 2023-10-26CVE-2023-43208: NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-06-10
Exploited in the wild
EPSS
82.71%
99.6th percentile
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextgen | mirth_connect | < 4.4.1 | 4.4.1 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
matchers: type: dsl dsl: - 'compare_versions(version, "<4.4.1")' - 'contains(interactsh_protocol, "dns")' - 'status_code_1 == 200 && status_code_2 == 500' condition: and
- →Detect exploitation attempts by monitoring for POST requests to /api/users with Content-Type: application/xml from unauthenticated sources, combined with HTTP 500 response codes. ↗
- →Monitor Mirth Connect server logs (mirth.log) for com.thoughtworks.xstream.converters.ConversionException or SecurityException errors, which may indicate failed exploitation attempts. ↗
- →Alert on the Mirth Connect Java process (java.exe or mcserver) spawning child processes such as cmd.exe, powershell.exe, or /bin/bash, which indicates successful RCE. ↗
- →Use Shodan/FOFA queries to identify exposed Mirth Connect instances: Shodan: title:"mirth connect administrator"; FOFA: title="mirth connect administrator". ↗
- →Version check: send GET /api/server/version with header X-Requested-With: OpenAPI; a response version lower than 4.4.1 indicates a vulnerable instance. ↗
- →The exploit payload uses the InvokerTransformer gadget chain from Apache Commons Collections to bypass the XStream denylist; detect XML bodies referencing java.lang.Runtime, getRuntime, exec, or InvokerTransformer in requests to Mirth Connect API endpoints. ↗
- →The Nuclei PoC template confirms vulnerability by checking: HTTP 200 on version endpoint, HTTP 500 on POST /api/users with XML payload, and DNS callback interaction — use all three conditions together to reduce false positives. ↗
- →Monitor for unexpected outbound network connections from the Mirth Connect server, particularly to unknown external IPs on ports 80, 443, and 445, which may indicate C2 activity post-exploitation. ↗
- ·The vulnerability is exploitable pre-authentication because XmlMessageBodyReader processes incoming XML requests before any authentication check is performed. ↗
- ·CVE-2023-43208 is a patch bypass of CVE-2023-37679; the original fix used a denylist approach (blocking ProcessBuilder) which was insufficient — the fix in 4.4.1 uses an allowlist instead. ↗
- ·The Metasploit module was tested specifically against Mirth Connect versions 4.1.1, 4.3.0, and 4.4.0; other versions prior to 4.4.1 may also be affected. ↗
- ·The exploit is described as highly reliable because it targets the fundamental data-handling mechanism, not a specific configuration, meaning no special server configuration is required for exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pj5c-qr29-6746: NextGen Healthcare Mirth Connect before version 4
ghsa_unreviewed·2023-10-26·CVSS 9.8
CVE-2023-43208 [CRITICAL] CWE-502 GHSA-pj5c-qr29-6746: NextGen Healthcare Mirth Connect before version 4
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
VulnCheck
nextgen mirth_connect Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-37679 [CRITICAL] nextgen mirth_connect Improper Neutralization of Special Elements used in a Command ('Command Injection')
nextgen mirth_connect Improper Neutralization of Special Elements used in a Command ('Command Injection')
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
Affected: nextgen mirth_connect
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/MsftSecIntel/status/1781353319341928668; https://censys.com/cve-2023-43208/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-05-25&host_type=src&vulnerability=cve-2023-37679; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabili
VulnCheck
NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-43208 [CRITICAL] CWE-502 NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
NextGen Healthcare Mirth Connect contains a deserialization of untrusted data vulnerability that allows for unauthenticated remote code execution via a specially crafted request.
Affected: NextGen Healthcare Mirth Connect
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://github.com/nextgenhealthcare/connect/discussions/6124; https://x.com/MsftSecIntel/status/1781353319341928668; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://censys.com/cve-2023-43208/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabili
CISA
NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
cisa·2024-05-20·CVSS 9.8
CVE-2023-43208 [CRITICAL] CWE-502 NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
Vulnerability: NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability
Affected: NextGen Healthcare Mirth Connect
NextGen Healthcare Mirth Connect contains a deserialization of untrusted data vulnerability that allows for unauthenticated remote code execution via a specially crafted request.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://github.com/nextgenhealthcare/connect/wiki/4.4.1---What%27s-New ; https://nvd.nist.gov/vuln/detail/CVE-2023-43208
Suricata
ET EXPLOIT NextGen Mirth Connect <4.4.1 RCE Attempt (CVE-2023-43208)
suricata·2024-06-10·CVSS 9.8
CVE-2023-43208 [CRITICAL] ET EXPLOIT NextGen Mirth Connect <4.4.1 RCE Attempt (CVE-2023-43208)
ET EXPLOIT NextGen Mirth Connect [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NextGen Mirth Connect <4.4.1 RCE Attempt (CVE-2023-43208)"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/api/users"; http.content_type; content:"application/xml"; nocase; http.request_body; content:"|20 20 3c|string|3e|"; startswith; content:"|3c|iMethodName|3e|getMethod|3c 2f|iMethodName|3e|"; content:"|3c|string|3e|getRuntime|3c 2f|string|3e|"; content:"|3c|iMethodName|3e|invoke|3c 2f|iMethodName|3e 0d 0a|"; fast_pattern; reference:cve,2023-43208; reference:url,horizon3.ai/attack-research/attack-blogs/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/; classtype:attempted-admin; sid:2053410; rev:1; metadata:attack_target Server, created_at 2024_06_10, cve
Metasploit
Mirth Connect Deserialization RCE
metasploit·CVSS 9.8
CVE-2023-37679 [CRITICAL] Mirth Connect Deserialization RCE
Mirth Connect Deserialization RCE
A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the target application. The original vulnerability was identified by IHTeam and assigned CVE-2023-37679. Later, researchers from Horizon3.ai determined the patch to be incomplete and published a gadget chain which bypassed the deny list that the original had implemented. This second vulnerability was assigned CVE-2023-43208 and was patched in Mirth Connect version 4.4.1. This module has been tested on versions 4.1.1, 4.3.0 and 4.4.0.
Nuclei
NextGen Mirth Connect - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-37679 [CRITICAL] NextGen Mirth Connect - Remote Code Execution
NextGen Mirth Connect - Remote Code Execution
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
Template:
id: CVE-2023-37679
info:
name: NextGen Mirth Connect - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
impact: |
Unauthenticated attackers can exploit XML deserialization vulnerabilities to execute arbitrary code on the Mirth Connect server, potentially compro
Nuclei
NextGen Healthcare Mirth Connect - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-43208 [CRITICAL] NextGen Healthcare Mirth Connect - Remote Code Execution
NextGen Healthcare Mirth Connect - Remote Code Execution
Unauthenticated remote code execution vulnerability in NextGen Healthcare Mirth Connect before version 4.4.1.
Template:
id: CVE-2023-43208
info:
name: NextGen Healthcare Mirth Connect - Remote Code Execution
author: princechaddha
severity: critical
description: Unauthenticated remote code execution vulnerability in NextGen Healthcare Mirth Connect before version 4.4.1.
impact: |
Successful exploitation could result in unauthorized access and potential compromise of sensitive data.
remediation: |
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
reference:
- http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
- https://github.com/nvn1729/advisories
classification:
cvs
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Cybersecurity Threat Landscape 2024 Midyear Review
blogs_qualys·2024-08-06
Cybersecurity Threat Landscape 2024 Midyear Review
## Table of Contents
Key Takeaways from the Threat Landscape Report 2024
Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
Cyber Threat Landscape 2024 A Detailed Review
Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for the emerg
Qualys
Qualys Midyear 2024 Threat Landscape Analysis and Insights | Qualys
blogs_qualys·2024-08-06
Qualys Midyear 2024 Threat Landscape Analysis and Insights | Qualys
#### Table of Contents
- Key Takeaways from the Threat Landscape Report 2024
- Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
- Cyber Threat Landscape 2024 A Detailed Review
- Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
- Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
- Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for
Huntress
CVE-2023-43208 (Mirth Connect RCE) Vulnerability: Analysis & Detection | Huntress
blogs_huntress·CVSS 9.8
CVE-2023-43208 [CRITICAL] CVE-2023-43208 (Mirth Connect RCE) Vulnerability: Analysis & Detection | Huntress
CVE-2023-43208 Vulnerability
Published: 02/20/2026
Written by: Nadine Rozell
CVEs are Common Vulnerabilities and Exposures - unique identifiers assigned to publicly known cybersecurity vulnerabilities.
CVE-2023-43208 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting NextGen Healthcare Mirth Connect , a data integration platform widely used in the healthcare sector to process patient records (HL7, XML, etc.).
This page details how this Java deserialization flaw works, why the original patch failed, and how to secure your environment against it.
## What is CVE-2023-43208 vulnerability?
CVE-2023-43208 is an insecure deserialization vulnerability within the Mirth Connect API.
It allows an unauthenticated attacker to send a specially crafted XML payload t
Greynoiseio
NoiseLetter January 2024
blogs_greynoiseio
NoiseLetter January 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
Discerning Reliable Cyber Threat Indicators for Timely Cyber Threat Intelligence
arxiv_fulltext·2025-08-11
Discerning Reliable Cyber Threat Indicators for Timely Cyber Threat Intelligence
## Abstract
In today's dynamic cybersecurity landscape, timely and accurate threat intelligence is essential for proactive defense. This study explores the potential of social media platforms as a valuable resource for extracting actionable Indicators of Compromise (IoCs). Utilizing a Convolutional Neural Network (CNN), we achieved an F1-score of 98.80% and a detection rate of 99.65%, filtering vast social media data to identify key IoCs, including IP addresses, URLs, file hashes, domain addresses, and CVE IDs. These indicators are critical for detecting potential threats and vulnerabilities, and their relevance was evaluated using metrics such as correctness, timeliness, and overlap. Our analysis shows that URLs emerged as the most frequently shared IoC, with 48.67% representing valid th
http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.htmlhttps://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.htmlhttps://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43208
2023-10-26
Published
2024-05-20
Added to CISA KEV
Exploited in the wild