On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting NextGen Healthcare’s Mirth Connect to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of ongoing exploitation.
This vulnerability, designated CVE-2023-43208 (CVSS score: N/A), involves unauthenticated remote code execution due to an inadequate patch for a previous critical flaw, CVE-2023-37679 (CVSS score: 9.8).
Details regarding this vulnerability were initially unveiled by Horizon3.ai in late October 2023, with further technical insights and a proof-of-concept (PoC) exploit disclosed earlier this January.
Mirth Connect, an open-source data integration platform extensively utilized by healthcare organizations, facilitates the exchange of data between disparate systems in a standardized format.
CVE-2023-43208 is “ultimately linked to insecure handling of the Java XStream library for unmarshalling XML payloads,” noted security researcher Naveen Sunkavally, characterizing the flaw as readily exploitable.
CISA has yet to provide specifics on the nature of attacks leveraging this vulnerability, leaving the identity of the perpetrators and the timing of in-the-wild exploitation attempts shrouded in mystery.
Nevertheless, Microsoft reported last month that nation-state actors and cybercriminal groups have been exploiting various vulnerabilities in Mirth Connect (CVE-2023-37679, CVE-2023-43208), ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708), JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199), and Fortinet FortiClient EMS (CVE-2023-48788) to gain initial access during Q1 2024.
Additionally, the KEV catalog has been updated to include a newly disclosed type confusion flaw affecting the Google Chrome browser (CVE-2024-4947), acknowledged by the tech giant as being actively exploited in real-world attacks.
Federal agencies must update to the patched versions – Mirth Connect version 4.4.1 or later and Chrome version 125.0.6422.60/.61 for Windows, macOS, and Linux – by June 10, 2024, to safeguard their networks against active threats.