CVE-2023-43208
CVE-2023-43208 is a critical-severity vulnerability in Nextgen Mirth Connect with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-05-20). The underlying weakness is classified as CWE-78.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 83% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-05-20)
- EU (EUVD) id: EUVD-2023-47627
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-05-20)
- Weakness: CWE-78
- Affected product: Nextgen Mirth Connect
- Published:
- Last modified:
Description
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
CVE-2023-43208: NextGen Mirth Connect Unauthenticated RCE via Incomplete Patch
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2023-43208 |
| CVSS 3.1 | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-78: OS Command Injection |
| EPSS | 0.82708 (82.7% probability of exploitation) |
| KEV | Added 2024-05-20 — actively exploited in the wild |
| Affected | NextGen Mirth Connect < 4.4.1 |
| Patched | Mirth Connect 4.4.1 |
Summary
CVE-2023-43208 is an unauthenticated remote code execution (RCE) vulnerability in NextGen Healthcare Mirth Connect, a widely deployed healthcare integration engine. The flaw exists because the patch applied for CVE-2023-37679 was incomplete, leaving a code path that allows an attacker to inject and execute arbitrary operating system commands without authentication. With a CVSS 3.1 score of 9.8 and EPSS probability exceeding 82%, this vulnerability presents an extreme and actively exploited risk.
Background
Mirth Connect is an open-source cross-platform healthcare integration engine used to manage health data exchange via HL7, FHIR, DICOM, and other protocols. It is deployed in hospitals, clinics, and health information exchanges to route and transform medical messages. Because it sits at the boundary of sensitive clinical systems and often exposes web-facing administrative interfaces, any unauthenticated RCE vulnerability in the platform has immediate and severe consequences for patient data confidentiality and healthcare operations.
Root Cause
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The root cause is an incomplete remediation of a prior OS command injection vulnerability (CVE-2023-37679). The original patch failed to sanitize all input vectors or close all code paths that eventually pass user-controlled data into a system shell execution routine. An attacker can therefore reach a vulnerable sink—likely through an administrative or installation endpoint that accepts serialized objects or path parameters—and inject shell metacharacters that are executed by the underlying operating system with the privileges of the Mirth Connect service account.
Impact
The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H translates to:
- Attack Vector: Network — exploitable remotely without access to the target network.
- Attack Complexity: Low — no special conditions or advanced techniques required.
- Privileges Required: None — no authentication credentials needed.
- User Interaction: None — fully automated exploitation possible.
- Scope: Unchanged — impact remains within the vulnerable component.
- Confidentiality, Integrity, Availability: High — complete compromise of the Mirth Connect host is possible.
In healthcare environments, this enables an attacker to access protected health information (PHI), alter clinical messages, disrupt integration flows, or pivot deeper into the hospital network.
Exploitation Walkthrough
Ethics & Legal Notice: This section is provided for defensive purposes only. Unauthorized access to computer systems is illegal in most jurisdictions. The following describes the conceptual attack flow without providing weaponized exploit code.
- Reconnaissance: Identify an externally exposed Mirth Connect Administrator interface or related API endpoint (commonly on TCP 8443 or 8080).
- Vector Identification: Send crafted requests to endpoints that accept serialized Java objects or file-path parameters. The incomplete patch leaves at least one deserialization or command-execution path unprotected.
- Command Injection: Inject shell metacharacters or chained commands into the vulnerable parameter. Because the input is not properly neutralized before being passed to a runtime exec or shell invocation, the operating system executes the attacker-controlled command.
- Post-Exploitation: With code execution as the Mirth Connect service user, the attacker can read database credentials, access message archives containing PHI, install persistence mechanisms, or move laterally via built-in OS tools.
Defenders should assume that this vulnerability is trivially exploitable with publicly available proof-of-concept techniques once the exact endpoint and payload structure are known.
Affected and Patched Versions
- Affected: NextGen Mirth Connect versions prior to 4.4.1
- Patched: NextGen Mirth Connect 4.4.1 and later
The vulnerability was introduced by an incomplete fix for CVE-2023-37679; therefore, any environment that applied the original patch but did not upgrade to 4.4.1 remains at risk.
Remediation
Primary: Upgrade Mirth Connect to version 4.4.1 or later as soon as possible. This is the only complete fix.
Compensating Controls (if immediate patching is not feasible):
- Restrict network access to the Mirth Connect Administrator interface to a strictly defined set of administrative IP addresses via host firewall or network segmentation.
- Place the application behind a Web Application Firewall (WAF) with rules tuned to block command injection patterns and serialized object payloads.
- Disable or remove any publicly exposed Mirth Connect endpoints that are not strictly required for operational interfaces.
- Ensure the Mirth Connect service runs under a dedicated, low-privilege account with no shell access and minimal filesystem permissions.
- Enable detailed request logging and forward logs to a SIEM for real-time correlation.
Detection
- Network: Monitor for unexpected HTTP POST or GET requests to Mirth Connect administrative endpoints containing shell metacharacters (
;,|,&,`,$(), or base64-encoded command strings). - Host: Alert on anomalous process spawning by the Mirth Connect Java process (e.g.,
bash,cmd.exe,powershell.exe, or unexpectedcurl/wgetchild processes). - File Integrity: Monitor critical Mirth Connect configuration files and plugin directories for unauthorized modifications.
- SIEM Rules: Correlate CISA KEV tag CVE-2023-43208 with outbound connections from Mirth Connect hosts to rare external IPs, which may indicate post-exploitation command-and-control activity.
Assessment
With an EPSS score of 0.82708 (placing it in the 99.6th percentile) and confirmed KEV status since 2024-05-20, CVE-2023-43208 is not merely theoretical—it is actively exploited in the wild. Healthcare organizations running unpatched Mirth Connect instances are high-value targets due to the richness of PHI and the frequent external exposure of integration engines.
Key takeaways:
- Incomplete patches can be as dangerous as the original vulnerability. Always verify that a vendor fix closes all attack paths and does not rely on narrow input validation alone.
- In healthcare environments, integration engines are critical infrastructure. They should be treated with the same hardening rigor as domain controllers or EMR systems—no direct internet exposure, strict access controls, and continuous monitoring.
References
Frequently asked questions
- What is CVE-2023-43208?
- NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
- How severe is CVE-2023-43208?
- CVE-2023-43208 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-43208 being actively exploited?
- Yes. CVE-2023-43208 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-05-20, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-43208?
- CVE-2023-43208 affects Nextgen Mirth Connect. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-43208?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-43208 have an EU (EUVD) identifier?
- Yes. CVE-2023-43208 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-47627. It is also flagged as exploited in the EUVD (since 2024-05-20).
- When was CVE-2023-43208 published?
- CVE-2023-43208 was published on 2023-10-26 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43208
Affected products (1)
- cpe:2.3:a:nextgen:mirth_connect:*:*:*:*:*:*:*:*
More vulnerabilities in Nextgen Mirth Connect
- CVE-2023-37679 — Critical (CVSS 9.8): A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary…
All CVEs affecting Nextgen Mirth Connect →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…