Critical vulnerabilities in Progress Software’s enterprise network monitoring and management solution WhatsUp Gold could expose systems to full compromise.
Offering visibility into devices, applications, servers, and traffic, WhatsUp Gold allows organizations to monitor their cloud and on-premises infrastructure, making it a critical component of enterprise environments.
This week, Censys said it was seeing over 1,200 WhatsUp Gold instances accessible from the internet, warning that many of them might be impacted by a recently disclosed critical-severity flaw for which proof-of-concept (PoC) code has been released.
The issue, tracked as CVE-2024-4885 (CVSS score of 9.8), could allow remote, unauthenticated attackers to execute arbitrary code on affected WhatsUp Gold instances.
According to the Summoning Team, which discovered and reported the bug in April, CVE-2024-4885 exists because WhatsUp Gold’s implementation of the GetFileWithoutZip method does not properly validate user input.
The remote code execution (RCE) vulnerability was addressed in May with the release of WhatsUp Gold version 23.1.3, which resolved three other critical-severity vulnerabilities and multiple high-severity bugs.
In a June advisory, Progress Software warned that WhatsUp Gold releases up to 23.1.2 were vulnerable, urging customers to upgrade to a patched iteration as soon as possible.
“These vulnerabilities can expose customers to exploitation. While we have not seen evidence of a known exploit, your system(s) could be compromised – including unauthorized access to a root account,” Progress warned.
In mid-August, the software maker announced another security update for WhatsUp Gold, namely version 24.0.0, which resolves two other critical-severity bugs, again urging customers to upgrade their installations.
The upgrade process, however, may not be simple. While customers can upgrade WhatsUp Gold versions 20.0.2 and above to 24.0.0, previous iterations need to be upgraded to 20.0.2 first, which requires contacting Progress’ customer service to obtain an installation file.
WhatsUp Gold has multiple components, which Progress recommends installing on a dedicated, physically isolated server – the company also recommends using strong account passwords, entrusting administrative accounts to trusted users only, and applying security best practices.
Upgrading to a new version requires administrators to log in to Progress’ customer portal, verify their license, download the latest software iteration, install it, and then restart the server.
The need to perform the upgrade manually could deter some administrators from going through the process each time a new WhatsUp Gold iteration comes out, and it is highly likely that at least some of the internet-exposed instances observed by Censys have not been patched against CVE-2024-4885.
While there are no reports of this vulnerability being actively exploited, the public availability of PoC code and the existence of several other critical-severity flaws in previous WhatsUp Gold iterations should convince administrators to upgrade to the latest version as soon as possible.
Related: Thousands of Apps Using AWS ALB Exposed to Attacks Due to Configuration Issue
Related: Azure Kubernetes Services Vulnerability Exposed Sensitive Information
Related: Thousands of LG TVs Possibly Exposed to Remote Hacking
Related: Pimcore Platform Flaws Exposed Users to Code Execution