Critical NextGen Healthcare Mirth Connect Vulnerability Under Active Exploitation
On May 20, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) added a critical NextGen Healthcare Mirth Connect remote code execution vulnerability to its Known Exploited Vulnerability (KEV) Catalog.
Mirth Connect is an open-source integration engine that is used in healthcare to support interoperability and enables healthcare data to be securely and efficiently exchanged between different systems and applications through standardized formats and protocols such as HL7, DICOM, and FHIR.
The deserialization of untrusted data vulnerability is tracked as CVE-2023-43208 and has a CVSS v3.1 base score of 9.8 out of 10. The vulnerability affects all versions before 4.4.1 and allows unauthenticated remote code execution and is due to the incomplete patching of CVE-2023-37679. According to security researchers at Horizon3.ai, the vulnerability does not require any credentials, is easy to exploit, and allows a threat actor to fully compromise a vulnerable Mirth Connect Server.
The company’s NodeZero pentesting product has been used to successfully exploit the vulnerability against several healthcare organizations. The researchers issued an advisory about the vulnerability in January 2024 urging healthcare organizations to upgrade to the patched version and said at the time it was highly likely that the vulnerability had already been exploited in healthcare cyberattacks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The vulnerability was first reported in October 2023 and was fixed in version 4.4.1; however, despite a fix being available for 7 months, many healthcare organizations have not yet updated to the patched version, and are vulnerable to exploitation. CISA did not disclose which threat actors are exploiting the vulnerability; however, in April, Microsoft said the Chinese threat group it tracks as Storm-1175 was observed exploiting the vulnerability for initial access. In addition to being used for initial access, the vulnerability can be exploited for lateral movement within internal networks, allowing access to be gained to sensitive healthcare data.
Immediate patching is necessary to prevent exploitation if the Mirth Connect server is exposed to the Internet. If the patch cannot be immediately applied, Mirth Connect should be disconnected from the Internet until patching is possible. Even if Mirth Connect is not exposed to the Internet, patching should be prioritized as it can be exploited internally for lateral movement. Federal agencies are required to upgrade to version 4.11 no later than June 10, 2024.
