The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a critical new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting significant risks associated with NextGen Healthcare’s Mirth Connect. This development comes in light of evidence suggesting active exploitation of the security flaw. The vulnerability, identified as CVE-2023-43208, relates to unauthenticated remote code execution, a consequence of an incomplete patch for another serious issue, CVE-2023-37679, which carries a CVSS score of 9.8.
Details surrounding CVE-2023-43208 were initially disclosed by Horizon3.ai in late October 2023. The researchers provided further technical insights and a proof-of-concept exploit by early January, indicating the vulnerability’s potential for exploitation. Mirth Connect serves as an open-source data integration platform utilized extensively in the healthcare sector, facilitating standardized data exchanges among various systems.
Security researcher Naveen Sunkavally described the flaw as stemming from the insecure use of the Java XStream library for unmarshalling XML payloads, rendering it particularly vulnerable and easy to exploit. While CISA has not revealed specifics regarding the nature of attacks leveraging this flaw, Microsoft reported in a previous statement that both nation-state and cybercriminal actors have been actively exploiting vulnerabilities in Mirth Connect, including CVE-2023-37679 and CVE-2023-43208, to gain initial access to various environments in the first quarter of 2024.
Mirth Connect’s utilization in the healthcare sector indicates that organizations relying on this platform may face significant risks if they fail to address the vulnerability promptly. Moreover, the involvement of nation-state actors suggests that the threat landscape is evolving, with sophisticated entities targeting critical sectors.
Alongside the Mirth Connect vulnerability, CISA has added another vulnerability affecting Google Chrome—CVE-2024-4947—which has also been recognized as actively exploited in real-world scenarios. In compliance with emerging cybersecurity mandates, federal agencies are required to upgrade to patched versions of Mirth Connect, specifically version 4.4.1 or later, and Google Chrome version 125.0.6422.60/.61 across Windows, macOS, and Linux systems by June 10, 2024, to mitigate exposure to these active threats.
As organizations navigate these vulnerabilities, understanding the potential adversary tactics outlined in the MITRE ATT&CK framework becomes imperative. Initial access via exploitation of vulnerabilities like those found in Mirth Connect is a tactic that actors may leverage, followed by techniques for privilege escalation or persistence to maintain access. Thus, the imperative for organizations remains clear: swift action is essential in patching known vulnerabilities to safeguard against exploitation and potential breaches.
In summary, the recent additions to the KEV catalog serve as a critical reminder of the ongoing threats within the cybersecurity landscape, particularly in sectors as sensitive as healthcare, where data exchange is paramount. As the nature of cyber threats continues to evolve, a proactive stance on vulnerability management is crucial for protecting organizational assets and sensitive information.
