CVE-2023-43208

CVE-2023-43208 is a critical-severity vulnerability in Nextgen Mirth Connect with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-05-20). The underlying weakness is classified as CWE-78.

Key facts

Description

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.

CVE-2023-43208: NextGen Mirth Connect Unauthenticated RCE via Incomplete Patch

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2023-43208
CVSS 3.1 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-78: OS Command Injection
EPSS 0.82708 (82.7% probability of exploitation)
KEV Added 2024-05-20 — actively exploited in the wild
Affected NextGen Mirth Connect < 4.4.1
Patched Mirth Connect 4.4.1

Summary

CVE-2023-43208 is an unauthenticated remote code execution (RCE) vulnerability in NextGen Healthcare Mirth Connect, a widely deployed healthcare integration engine. The flaw exists because the patch applied for CVE-2023-37679 was incomplete, leaving a code path that allows an attacker to inject and execute arbitrary operating system commands without authentication. With a CVSS 3.1 score of 9.8 and EPSS probability exceeding 82%, this vulnerability presents an extreme and actively exploited risk.

Background

Mirth Connect is an open-source cross-platform healthcare integration engine used to manage health data exchange via HL7, FHIR, DICOM, and other protocols. It is deployed in hospitals, clinics, and health information exchanges to route and transform medical messages. Because it sits at the boundary of sensitive clinical systems and often exposes web-facing administrative interfaces, any unauthenticated RCE vulnerability in the platform has immediate and severe consequences for patient data confidentiality and healthcare operations.

Root Cause

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The root cause is an incomplete remediation of a prior OS command injection vulnerability (CVE-2023-37679). The original patch failed to sanitize all input vectors or close all code paths that eventually pass user-controlled data into a system shell execution routine. An attacker can therefore reach a vulnerable sink—likely through an administrative or installation endpoint that accepts serialized objects or path parameters—and inject shell metacharacters that are executed by the underlying operating system with the privileges of the Mirth Connect service account.

Impact

The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H translates to:

  • Attack Vector: Network — exploitable remotely without access to the target network.
  • Attack Complexity: Low — no special conditions or advanced techniques required.
  • Privileges Required: None — no authentication credentials needed.
  • User Interaction: None — fully automated exploitation possible.
  • Scope: Unchanged — impact remains within the vulnerable component.
  • Confidentiality, Integrity, Availability: High — complete compromise of the Mirth Connect host is possible.

In healthcare environments, this enables an attacker to access protected health information (PHI), alter clinical messages, disrupt integration flows, or pivot deeper into the hospital network.

Exploitation Walkthrough

Ethics & Legal Notice: This section is provided for defensive purposes only. Unauthorized access to computer systems is illegal in most jurisdictions. The following describes the conceptual attack flow without providing weaponized exploit code.

  1. Reconnaissance: Identify an externally exposed Mirth Connect Administrator interface or related API endpoint (commonly on TCP 8443 or 8080).
  2. Vector Identification: Send crafted requests to endpoints that accept serialized Java objects or file-path parameters. The incomplete patch leaves at least one deserialization or command-execution path unprotected.
  3. Command Injection: Inject shell metacharacters or chained commands into the vulnerable parameter. Because the input is not properly neutralized before being passed to a runtime exec or shell invocation, the operating system executes the attacker-controlled command.
  4. Post-Exploitation: With code execution as the Mirth Connect service user, the attacker can read database credentials, access message archives containing PHI, install persistence mechanisms, or move laterally via built-in OS tools.

Defenders should assume that this vulnerability is trivially exploitable with publicly available proof-of-concept techniques once the exact endpoint and payload structure are known.

Affected and Patched Versions

  • Affected: NextGen Mirth Connect versions prior to 4.4.1
  • Patched: NextGen Mirth Connect 4.4.1 and later

The vulnerability was introduced by an incomplete fix for CVE-2023-37679; therefore, any environment that applied the original patch but did not upgrade to 4.4.1 remains at risk.

Remediation

Primary: Upgrade Mirth Connect to version 4.4.1 or later as soon as possible. This is the only complete fix.

Compensating Controls (if immediate patching is not feasible):

  • Restrict network access to the Mirth Connect Administrator interface to a strictly defined set of administrative IP addresses via host firewall or network segmentation.
  • Place the application behind a Web Application Firewall (WAF) with rules tuned to block command injection patterns and serialized object payloads.
  • Disable or remove any publicly exposed Mirth Connect endpoints that are not strictly required for operational interfaces.
  • Ensure the Mirth Connect service runs under a dedicated, low-privilege account with no shell access and minimal filesystem permissions.
  • Enable detailed request logging and forward logs to a SIEM for real-time correlation.

Detection

  • Network: Monitor for unexpected HTTP POST or GET requests to Mirth Connect administrative endpoints containing shell metacharacters (;, |, &, `, $(), or base64-encoded command strings).
  • Host: Alert on anomalous process spawning by the Mirth Connect Java process (e.g., bash, cmd.exe, powershell.exe, or unexpected curl/wget child processes).
  • File Integrity: Monitor critical Mirth Connect configuration files and plugin directories for unauthorized modifications.
  • SIEM Rules: Correlate CISA KEV tag CVE-2023-43208 with outbound connections from Mirth Connect hosts to rare external IPs, which may indicate post-exploitation command-and-control activity.

Assessment

With an EPSS score of 0.82708 (placing it in the 99.6th percentile) and confirmed KEV status since 2024-05-20, CVE-2023-43208 is not merely theoretical—it is actively exploited in the wild. Healthcare organizations running unpatched Mirth Connect instances are high-value targets due to the richness of PHI and the frequent external exposure of integration engines.

Key takeaways:

  1. Incomplete patches can be as dangerous as the original vulnerability. Always verify that a vendor fix closes all attack paths and does not rely on narrow input validation alone.
  2. In healthcare environments, integration engines are critical infrastructure. They should be treated with the same hardening rigor as domain controllers or EMR systems—no direct internet exposure, strict access controls, and continuous monitoring.

References

Frequently asked questions

What is CVE-2023-43208?
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
How severe is CVE-2023-43208?
CVE-2023-43208 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-43208 being actively exploited?
Yes. CVE-2023-43208 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-05-20, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-43208?
CVE-2023-43208 affects Nextgen Mirth Connect. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-43208?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-43208 have an EU (EUVD) identifier?
Yes. CVE-2023-43208 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-47627. It is also flagged as exploited in the EUVD (since 2024-05-20).
When was CVE-2023-43208 published?
CVE-2023-43208 was published on 2023-10-26 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Nextgen Mirth Connect

All CVEs affecting Nextgen Mirth Connect →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →