Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

CISA Warns of Attacks Exploiting NextGen Healthcare Mirth Connect Flaw

CISA has added CVE-2023-43208, an unauthenticated remote code execution vulnerability, to its KEV catalog. 

CISA

The US cybersecurity agency CISA on Monday added a flaw affecting NextGen Healthcare’s Mirth Connect product to its Known Exploited Vulnerabilities (KEV) catalog. 

Mirth Connect is a widely used cross-platform interface engine that healthcare organizations use for information management. 

The vulnerability affecting the open source product, tracked as CVE-2023-43208, is a data deserialization issue that can allow unauthenticated remote code execution. A patch was rolled out with the release of version 4.4.1.

The flaw came to light in October 2023, when cybersecurity firm Horizon3.ai warned of its potential impact on healthcare companies. CVE-2023-43208 is a variation of CVE-2023-37679, which Mirth Connect developers had previously patched with the release of version 4.4.0.

Horizon3.ai at the time described the vulnerability as easily exploitable and cautioned that “attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data”.

The security firm also noted seeing more than 1,200 internet-exposed instances of NextGen Mirth Connect.

Horizon3.ai made available technical details and proof-of-concept (PoC) code in mid-January 2024. A few days later, The Shadowserver Foundation reported seeing more than 440 internet-exposed instances that appeared to be impacted by CVE-2023-43208.

CISA has added CVE-2023-43208 to its KEV catalog and instructed government agencies to address it by June 10. 

Advertisement. Scroll to continue reading.

The agency has not shared any information on the attacks. Exploitation of CVE-2023-37679 and CVE-2023-43208 was mentioned by Microsoft in April in a brief report on ransomware attacks seen by the tech giant in the first quarter of 2024. 

Microsoft said at the time that the Mirth Connect and other flaws had been exploited for initial access by a China-based threat actor tracked by the company as Storm-1175, known for deploying Medusa ransomware.

CISA may be aware of other attacks. The agency’s KEV catalog does not mention ransomware exploitation (the field that specifies whether a flaw has been used in ransomware attacks is ‘unknown’) and CVE-2023-37679 has yet to be added to the catalog.  

Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

Related: CISA Announces CVE Enrichment Project ‘Vulnrichment’

Related: CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights