Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Flaws in Progress Software WhatsUp Gold Expose Systems to Full Compromise

Censys warns of over 1,200 internet-accessible WhatsUp Gold instances potentially exposed to malicious attacks.

Critical vulnerabilities in Progress Software’s enterprise network monitoring and management solution WhatsUp Gold could expose systems to full compromise.

Offering visibility into devices, applications, servers, and traffic, WhatsUp Gold allows organizations to monitor their cloud and on-premises infrastructure, making it a critical component of enterprise environments.

This week, Censys said it was seeing over 1,200 WhatsUp Gold instances accessible from the internet, warning that many of them might be impacted by a recently disclosed critical-severity flaw for which proof-of-concept (PoC) code has been released.

The issue, tracked as CVE-2024-4885 (CVSS score of 9.8), could allow remote, unauthenticated attackers to execute arbitrary code on affected WhatsUp Gold instances.

According to the Summoning Team, which discovered and reported the bug in April, CVE-2024-4885 exists because WhatsUp Gold’s implementation of the GetFileWithoutZip method does not properly validate user input.

The remote code execution (RCE) vulnerability was addressed in May with the release of WhatsUp Gold version 23.1.3, which resolved three other critical-severity vulnerabilities and multiple high-severity bugs.

In a June advisory, Progress Software warned that WhatsUp Gold releases up to 23.1.2 were vulnerable, urging customers to upgrade to a patched iteration as soon as possible.

“These vulnerabilities can expose customers to exploitation. While we have not seen evidence of a known exploit, your system(s) could be compromised – including unauthorized access to a root account,” Progress warned.

Advertisement. Scroll to continue reading.

In mid-August, the software maker announced another security update for WhatsUp Gold, namely version 24.0.0, which resolves two other critical-severity bugs, again urging customers to upgrade their installations.

The upgrade process, however, may not be simple. While customers can upgrade WhatsUp Gold versions 20.0.2 and above to 24.0.0, previous iterations need to be upgraded to 20.0.2 first, which requires contacting Progress’ customer service to obtain an installation file.

WhatsUp Gold has multiple components, which Progress recommends installing on a dedicated, physically isolated server – the company also recommends using strong account passwords, entrusting administrative accounts to trusted users only, and applying security best practices.

Upgrading to a new version requires administrators to log in to Progress’ customer portal, verify their license, download the latest software iteration, install it, and then restart the server.

The need to perform the upgrade manually could deter some administrators from going through the process each time a new WhatsUp Gold iteration comes out, and it is highly likely that at least some of the internet-exposed instances observed by Censys have not been patched against CVE-2024-4885.

While there are no reports of this vulnerability being actively exploited, the public availability of PoC code and the existence of several other critical-severity flaws in previous WhatsUp Gold iterations should convince administrators to upgrade to the latest version as soon as possible.

Related: Thousands of Apps Using AWS ALB Exposed to Attacks Due to Configuration Issue

Related: Azure Kubernetes Services Vulnerability Exposed Sensitive Information

Related: Thousands of LG TVs Possibly Exposed to Remote Hacking

Related: Pimcore Platform Flaws Exposed Users to Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.