The Cybersecurity and Infrastructure Security Agency (CISA) included a critical vulnerability identified in the NextGen Healthcare Mirth Connect remote code execution to its Known Exploited Vulnerability (KEV) Catalog.
Mirth Connect is a free software integration engine used in medical care to aid interoperability and keep healthcare data secure and properly exchanged between various systems and programs through standardized formats and procedures like HL7, FHIR, and DICOM.
The vulnerability causing the deserialization of untrusted data is monitored as CVE-2023-43208 and has an assigned CVSS v3.1 base rating of 9.8. The vulnerability impacts all models before 4.4.1 and permits unauthenticated remote code execution and is caused by the unfinished patching of CVE-2023-37679. As per Horizon3.ai security researchers, the vulnerability doesn’t call for any credentials, is simple to exploit, and enables an attacker to exploit a vulnerable Mirth Connect Server completely.
The NodeZero pen-testing product of the company is employed to take advantage of the vulnerability against various healthcare companies successfully. The researchers released an alert regarding the vulnerability in January 2024 telling healthcare companies to upgrade to the patched version and stated during that time it was very likely that the vulnerability was already taken advantage of in healthcare cyberattacks.
The vulnerability was initially reported in October 2023 and was resolved in version 4.4.1; nevertheless, despite a patch being accessible for 7 months, a lot of healthcare companies have not upgraded to the patched version, and are susceptible to exploitation. CISA didn’t reveal which attackers are taking advantage of the vulnerability, but Microsoft stated in April that Storm-1175, the Chinese threat group being monitored was seen taking advantage of the vulnerability for preliminary access. Aside from being employed for preliminary access, the vulnerability is used for lateral movement inside systems, enabling access to sensitive medical information including PHI.
Prompt patching is required to stop exploitation if the Mirth Connect server is left open online. In case the patch is not promptly applied, Mirth Connect must be removed from the Internet connection until patching is available. Even though Mirth Connect isn’t exposed online, patching must be prioritized since it may be taken advantage of within the network for lateral movement. Government agencies need to update to version 4.11 on or before June 10, 2024.