Cyber Resilience

CVE-2023-43208

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 26 October 2023

Published
26 October 2023
Modified
31 October 2025
KEV Added
20 May 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9442 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43208 is a critical-severity OS Command Injection (CWE-78) vulnerability in Nextgen Mirth Connect. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

NextGen Healthcare Mirth Connect versions prior to 4.4.1 contain an unauthenticated remote code execution vulnerability that stems from an incomplete remediation of CVE-2023-37679. The flaw is tracked under CWE-78 and CWE-502 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no credentials or user interaction.

Remote attackers can send specially crafted requests to the affected server and obtain arbitrary command execution on the underlying host, enabling full system compromise including data exfiltration, persistence, or lateral movement. Public proof-of-concept material on PacketStorm demonstrates reliable exploitation against the 4.4.0 release.

CISA has added the CVE to its Known Exploited Vulnerabilities catalog, and vendor guidance directs administrators to upgrade immediately to version 4.4.1 or later. Horizon3 analysis further details the deserialization and command-injection paths that must be addressed by the patch.

The vulnerability shows sustained high exploitation probability, with an EPSS score currently at 0.9442 and a recorded peak of 0.9750, consistent with its presence on the CISA KEV list.

EU & UK References

Vulnerability details

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.

CWE(s)
KEV Date Added
20 May 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nextgen
mirth connect
≤ 4.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that completes remediation of the incomplete fix for CVE-2023-37679.

prevent

Enforces authentication and access control decisions to block the unauthenticated network vectors used for RCE.

prevent

Validates untrusted input to stop the crafted payloads that trigger CWE-78 command injection and CWE-502 deserialization.

References