CISA Warns of Attacks Exploiting NextGen Healthcare Mirth Connect Flaw

CISA Warns of Attacks Exploiting NextGen Healthcare Mirth Connect Flaw

May 21, 2024 at 07:21AM

CISA added a flaw in NextGen Healthcare’s Mirth Connect product, a widely used healthcare interface engine, to its KEV catalog. Tracked as CVE-2023-43208, the flaw can lead to unauthenticated remote code execution. A patch was released with Mirth Connect version 4.4.1. Microsoft reported ransomware attacks exploiting this and another flaw.

Key Takeaways from the Meeting Notes:

1. CISA has added a flaw affecting NextGen Healthcare’s Mirth Connect product to its Known Exploited Vulnerabilities (KEV) catalog.

2. The vulnerability, identified as CVE-2023-43208, is a data deserialization issue that enables unauthenticated remote code execution. A patch has been released with the rollout of version 4.4.1.

3. The flaw was initially brought to light in October 2023 by cybersecurity firm Horizon3.ai, which warned of its potential impact on healthcare companies. It is a variation of CVE-2023-37679, previously patched with the release of version 4.4.0.

4. Horizon3.ai described the vulnerability as easily exploitable and identified more than 1,200 internet-exposed instances of NextGen Mirth Connect, with technical details and proof-of-concept (PoC) code made available in mid-January 2024.

5. CISA has instructed government agencies to address CVE-2023-43208 by June 10, and Microsoft reported exploitation of Mirth Connect flaws for initial access by a China-based threat actor tracked as Storm-1175, known for deploying Medusa ransomware.

6. CISA may be aware of other attacks, but their KEV catalog does not specifically mention ransomware exploitation, and CVE-2023-37679 has yet to be added to the catalog.

Please let me know if you need any further clarification on these points or if there are additional details you require.

Full Article