CISA Warning: Mirth Connect Flaw Actively Exploited

The United States Cybersecurity and Infrastructure Security Agency (CISA) included a vulnerability affecting Mirth Connect from NextGen Healthcare in its Known Exploited Vulnerabilities (KEV) catalog last Monday, May 20.

The vulnerability, designated CVE-2023-43208, involves unauthenticated remote code execution and arose from an incomplete fix of another critical vulnerability—CVE-2023-37679, which has a CVSS rating of 9.8.

Mirth Connect is an open-source data integration platform widely used in American healthcare for data exchange between various systems.

Information about this vulnerability first emerged thanks to Horizon3.ai specialists in late October 2023, with additional technical details and a PoC exploit published in January 2024.

Security researcher Navin Sankavalli reported that CVE-2023-43208 is linked to the unsafe use of the Java XStream library for processing XML data, making the vulnerability easily exploitable.

CISA did not provide information on the nature of the attacks exploiting this vulnerability, and it remains unclear who has been using it and when.

In addition to the vulnerability in Mirth Connect, the agency also added a recent Type Confusion vulnerability affecting the Google Chrome browser (CVE-2024-4947) to the KEV catalog, which Google acknowledged as being exploited in real-world attacks.

US federal agencies are mandated to update their software to the patched versions: Mirth Connect version 4.4.1 or higher, and Chrome version 125.0.6422.60/.61 for Windows, macOS, and Linux by June 10, 2024, to protect their networks from active cyber threats.