CVE-2023-43208 Vulnerability
Published: 02/20/2026
Written by: Nadine Rozell
CVEs are Common Vulnerabilities and Exposures - unique identifiers assigned to publicly known cybersecurity vulnerabilities.
CVE-2023-43208 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting NextGen Healthcare Mirth Connect, a data integration platform widely used in the healthcare sector to process patient records (HL7, XML, etc.).
This page details how this Java deserialization flaw works, why the original patch failed, and how to secure your environment against it.
What is CVE-2023-43208 vulnerability?
CVE-2023-43208 is an insecure deserialization vulnerability within the Mirth Connect API.
It allows an unauthenticated attacker to send a specially crafted XML payload to the server. Because the application fails to properly validate the data before "unmarshalling" (processing) it, the payload executes arbitrary Java code with the privileges of the Mirth Connect service (often SYSTEM or root).
This vulnerability is actually a patch bypass for a previous issue, CVE-2023-37679. The initial fix was incomplete, allowing attackers to find new ways to execute code.
When was it discovered?
The vulnerability was disclosed byHorizon3.ai researchers in October 2023. It was notably added to theCISA Known Exploited Vulnerabilities (KEV) catalog on May 20, 2024, confirming active exploitation in the wild.
Affected products & versions
This vulnerability impacts Mirth Connect versions that rely on an insecure implementation of the XStream library.
Product | Versions Affected | Fixed Versions |
NextGen Mirth Connect | Versions prior to 4.4.1 | Mirth Connect 4.4.1 or later |
CVE-2023-43208 technical description
The core of the issue lies in how Mirth Connect uses the XStream Java library to convert XML data into Java objects.
In affected versions, the XmlMessageBodyReader class processes incoming XML requests before checking if the user is authenticated. This means any stranger on the internet can ask the server to process an XML file.
The previous patch (for CVE-2023-37679) attempted to fix this by creating a "denylist" of specific dangerous Java classes (like ProcessBuilder). However, attackers bypassed this by using other dangerous classes that weren't on the list, such as InvokerTransformer from the Apache Commons Collections library.
By chaining these allowed classes together, an attacker can construct a payload that the server dutifully executes, granting full remote control.
Tactics, techniques & procedures (TTPs)
Attackers, including the Chinese threat group Storm-1175 and various ransomware operators, utilize this vulnerability for Initial Access.
Reconnaissance: Attackers scan for Mirth Connect login portals (often on ports 8080 or 8443) exposing the /api/server/version endpoint to confirm the software version.
Exploitation: They send a POST request to an endpoint like /api/users. The body of the request contains the XML payload with the malicious XStream chain.
Execution: The server deserializes the XML, executes the embedded command (often a PowerShell script or shell command), and establishes a connection back to the attacker.
Impact: Since Mirth Connect handles sensitive patient data (PHI), this often leads tomassive data theft and ransomware deployment.
Indicators of compromise
Network Traffic: Unexpected outbound connections from your Mirth Connect server, particularly to unknown external IPs or on ports associated with command and control (e.g., 80, 443, 445).
Process Anomalies: The Mirth Connect Java process (java.exe or mcserver) spawning unexpected child processes like cmd.exe, powershell.exe, or /bin/bash.
Log Entries: While successful exploitation can be quiet, failed attempts might generate com.thoughtworks.xstream.converters.ConversionException or SecurityException errors in the Mirth Connect server logs (mirth.log).
Known proof-of-concepts & exploits
Horizon3.ai released a detailed technical write-up and Proof-of-Concept (PoC) exploit in January 2024.
The exploit is highly reliable because it targets the fundamental way the application handles data, not a specific configuration. Automated exploit scripts are widely available in penetration testing toolkits and are actively used by threat actors.
Data Breach Guide
Our data breach guide breaks down how breaches happen, what they really cost, and, most importantly, how you can stop them from gutting your business.
How to detect CVE-2023-43208 vulnerability?
Version Checking: You can actively check your version by sending a request to the API: curl -k -H 'X-Requested-With: OpenAPI' https://
: /api/server/version If it returns a version lower than 4.4.1, you are vulnerable. Vulnerability Scanning: Tools like Nessus, Qualys, and Rapid7 have plugins to detect this specific CVE.
Endpoint Monitoring: Ensure your Managed EDR is monitoring the Mirth Connect host for suspicious process ancestry (e.g., Java launching shells).
Impact & risk of CVE-2023-43208 vulnerability
The risk is Critical.
Because Mirth Connect is an "interface engine," it sits at the heart of a healthcare network, connecting Electronic Health Records (EHR), labs, and other critical systems. Compromising this server gives attackers a perfect pivot point to access the entire network and steal massive amounts of Protected Health Information (PHI).
Mitigation & remediation strategies
Patch Immediately: Upgrade Mirth Connect to version 4.4.1 or later. This version replaces the failed "denylist" approach with a strict "allowlist," which only permits safe classes to be processed.
Isolate the Server: Ensure your Mirth Connect administrative interface is not exposed to the public internet. It should only be accessible via VPN or from a restricted internal management network.
Least Privilege: Run the Mirth Connect service with the lowest possible privileges (e.g., a dedicated service account), never as SYSTEM or Root, to limit the damage if a compromise occurs.
CVE-2023-43208 Vulnerability FAQs
Protect What Matters
