Cyber Defense Advisors

NextGen Healthcare Mirth Connect Under Attack – CISA Issues Urgent Warning

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a security flaw impacting NextGen Healthcare Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The flaw, tracked as CVE-2023-43208 (CVSS score: N/A), concerns a case of unauthenticated remote code execution arising from an incomplete patch for another critical flaw CVE-2023-37679 (CVSS score: 9.8).

Details of the vulnerability were first revealed by Horizon3.ai in late October 2023, with additional technical specifics and a proof-of-concept (PoC) exploit released earlier this January.

Mirth Connect is an open-source data integration platform widely used by healthcare companies, allowing for data exchange between different systems in a standardized manner.

CVE-2023-43208 is “ultimately related to insecure usage of the Java XStream library for unmarshalling XML payloads,” security researcher Naveen Sunkavally said, describing the flaw as easily exploitable.

CISA has not provided any information about the nature of attacks exploiting the flaw, and it is unclear who weaponized them or when in-the-wild exploitation attempts were recorded.

That having said, Microsoft noted last month that it has observed nation-state actors and cybercrime actors exploiting various flaws in Mirth Connect (CVE-2023-37679, CVE-2023-43208), ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708), JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199), and Fortinet FortiClient EMS (CVE-2023-48788) for initial access in Q1 2024.

Also added to the KEV catalog is a newly disclosed type confusion bug impacting the Google Chrome browser (CVE-2024-4947) that the tech giant has acknowledged as exploited in real-world attacks.

Federal agencies are required to update to a patched version of the software – Mirth Connect version 4.4.1 or later and Chrome version 125.0.6422.60/.61 for Windows, macOS, and Linux – by June 10, 2024, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.