CVE-2023-43208

What is NextGen Healthcare Mirth Connect?

NextGen Healthcare's Mirth Connect is an open-source healthcare integration engine — a middleware platform that routes, transforms, and translates HL7 and other healthcare data messages between Electronic Health Record (EHR) systems, labs, imaging systems, billing platforms, and other healthcare applications. Mirth Connect is deployed at hospitals, clinics, health information exchanges (HIEs), and regional health networks, serving as the data backbone for patient record interoperability. Because Mirth Connect handles sensitive patient health information (PHI) and integrates deeply with EHR systems, its compromise can expose large volumes of patient data and provide an attacker with access to connected healthcare systems.

Overview

CVE-2023-43208 is an unauthenticated Java deserialization vulnerability in NextGen Healthcare Mirth Connect that enables remote code execution on the underlying server. It is a follow-on incomplete fix to CVE-2023-37679 — an earlier deserialization vulnerability in Mirth Connect's HTTP listener. The incomplete fix in version 4.3.0 left additional deserialization attack paths accessible; Mirth Connect 4.4.1 addresses both. Ransomware groups exploited this vulnerability against healthcare organizations, and CISA added it to KEV in May 2024, seven months after the patch became available.

Affected Versions

Technical Details

CWE-502 (Deserialization of Untrusted Data). Mirth Connect's HTTP API listener accepts serialized Java objects as part of its message processing functionality. A flaw in the input validation and deserialization pipeline allows an unauthenticated attacker to send a specially crafted HTTP request containing a malicious serialized Java object. When the Mirth Connect server deserializes this object, attacker-controlled code executes in the Java Virtual Machine (JVM) context with the privileges of the Mirth Connect service — typically a privileged service account with access to all connected healthcare systems.

Java deserialization RCE attacks against healthcare middleware are particularly impactful because:

• Mirth Connect typically runs with high-privilege service accounts to access healthcare system APIs
• The server stores database credentials, API keys, and HL7 routing configurations in its internal database
• Patient health information transiting through Mirth Connect's message queues may be accessible to a code execution attacker

Discovery

CVE-2023-37679 was discovered and reported to NextGen Healthcare, which patched it in Mirth Connect 4.3.0. Subsequent security research by Horizon3.ai found that the 4.3.0 fix was incomplete — an alternate deserialization path remained exploitable, assigned as CVE-2023-43208. NextGen released a complete fix in Mirth Connect 4.4.1. The 7-month gap between the patch and CISA KEV addition suggests the vulnerability was being actively exploited against unpatched healthcare deployments throughout early 2024.

Exploitation Context

Healthcare integration engines are high-value ransomware targets because disrupting the HL7 message routing between hospital systems can halt clinical operations — lab results stop flowing, medication orders become unreliable, and clinical workflows break down — creating patient safety pressure that motivates rapid ransom payment. Ransomware groups (notably those targeting the healthcare sector like BlackCat/ALPHV, Cl0p) maintained awareness of Mirth Connect vulnerabilities and incorporated them into campaigns targeting hospitals and health networks.

Remediation

1. Upgrade Mirth Connect to version 4.4.1 or later — this addresses both CVE-2023-43208 and the underlying CVE-2023-37679.
2. Restrict network access to Mirth Connect's HTTP API listener (typically port 8080/8443) to trusted internal systems only — healthcare integration engines should never be internet-accessible.
3. After upgrading, rotate all credentials stored in Mirth Connect's database: database connection passwords, HL7 endpoint credentials, and API keys for connected systems.
4. Review Mirth Connect channel logs for unusual message activity — unexpected outbound connections or abnormal message volumes may indicate prior compromise.
5. Ensure Mirth Connect service accounts follow the principle of least privilege — the service should only have access to the specific database accounts and systems it needs for HL7 routing.
6. For healthcare organizations with Mirth Connect versions that cannot be immediately upgraded, consider deploying a network-layer control to whitelist only legitimate source IPs that should communicate with Mirth Connect.