The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a safety flaw impacting NextGen Healthcare Mirth Hook up with its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The flaw, tracked as CVE-2023-43208 (CVSS rating: N/A), issues a case of unauthenticated distant code execution arising from an incomplete patch for one more crucial flaw CVE-2023-37679 (CVSS rating: 9.8).
Particulars of the vulnerability have been first revealed by Horizon3.ai in late October 2023, with extra technical specifics and a proof-of-concept (PoC) exploit launched earlier this January.
Mirth Join is an open-source knowledge integration platform extensively utilized by healthcare firms, permitting for knowledge trade between completely different programs in a standardized method.
CVE-2023-43208 is “ultimately related to insecure usage of the Java XStream library for unmarshalling XML payloads,” safety researcher Naveen Sunkavally stated, describing the flaw as simply exploitable.
CISA has not offered any details about the character of assaults exploiting the flaw, and it’s unclear who weaponized them or when the in-the-wild exploitation was recorded.
Additionally added to the KEV catalog is a newly disclosed kind of confusion bug impacting the Google Chrome browser (CVE-2024-4947) that the tech large has acknowledged as exploited in real-world assaults.
Federal companies are required to replace to a patched model of the software program – Mirth Join model 4.4.1 or later and Chrome model 125.0.6422.60/.61 for Home windows, macOS, and Linux – by June 10, 2024, to safe their networks towards energetic threats.
