CVE-2023-37679

CRITICAL EXPLOITED RANSOMWARE NUCLEI

Mirth Connect Deserialization RCE

Title source: metasploit

Exploitation Summary

CVE-2023-37679 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 2 public exploits from researchers including jakabakos, r00t, Naveen Sunkavally, Spencer McIntyre, including a Metasploit module exploits/multi/http/mirth_connect_cve_2023_43208. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2023-37679 and CVE-2023-43208, targeting Nextgen's Mirth Connect. The exploits leverage deserialization vulnerabilities to achieve remote code execution (RCE) via crafted XML payloads sent to the `/api/users` endpoint.

Description

A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.

Exploits (2)

github WORKING POC 5 stars

by jakabakos · pythonpoc

https://github.com/jakabakos/CVE-2023-43208-mirth-connect-rce-poc/tree/master/CVE-2023-37679.py

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2023-37679 and CVE-2023-43208, targeting Nextgen's Mirth Connect. The exploits leverage deserialization vulnerabilities to achieve remote code execution (RCE) via crafted XML payloads sent to the `/api/users` endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nextgen Mirth Connect (versions up to 4.4.0)

No auth needed

Prerequisites: Network access to the target Mirth Connect instance · Target must be running a vulnerable version (<= 4.4.0)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by r00t, Naveen Sunkavally, Spencer McIntyre · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mirth_connect_cve_2023_43208.rb

View Code ZIP pw:eip

This Metasploit module exploits a deserialization vulnerability in Mirth Connect (CVE-2023-37679 and CVE-2023-43208) to achieve remote code execution via crafted XML payloads. It includes gadget chains for both vulnerabilities, targeting versions 4.1.1 through 4.4.0.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Mirth Connect versions 4.1.1, 4.3.0, and 4.4.0

No auth needed

Prerequisites: Network access to the target's HTTP API (port 8443 by default) · SSL/TLS enabled on the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

NextGen Mirth Connect - Remote Code Execution

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: title:"mirth connect administrator" || http.title:"mirth connect administrator"

FOFA: title="mirth connect administrator"

References (4)

Core 4

Core References

Product

http://mirth.com

Product

http://nextgen.com

Exploit, Third Party Advisory

https://www.ihteam.net/advisory/mirth-connect

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9711

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-04-19

Ransomware Use Confirmed

CWE

CWE-77

Status published

Products (1)

nextgen/mirth_connect 4.3.0

Published Aug 03, 2023

Tracked Since Feb 18, 2026