Critical Vulnerabilities Uncovered in Progress WhatsUp Gold (CVE-2024-6670 & CVE-2024-6671)
The Progress WhatsUp Gold team has recently disclosed multiple critical vulnerabilities affecting all versions of the software released before 2024.0.0. These vulnerabilities, identified as CVE-2024-6670, CVE-2024-6671, and CVE-2024-6672, pose significant risks to organizations using outdated versions of the network monitoring tool. While no reports of active exploitation have surfaced, the potential impact on operations is severe, prompting an urgent call for all users to upgrade their systems immediately.
Each of the identified vulnerabilities leverages SQL Injection techniques, which could allow attackers to gain unauthorized access to sensitive data and escalate privileges within the network:
- CVE-2024-6670: With a CVSS score of 9.8, this vulnerability allows an unauthenticated attacker to retrieve encrypted passwords from the system if the application is configured with only a single user. The potential for unauthorized access is high, making it a critical threat to any organization relying on this configuration.
- CVE-2024-6671: Sharing the same CVSS score of 9.8, this vulnerability also targets single-user configurations, enabling attackers to retrieve encrypted passwords through SQL Injection. The similarity to CVE-2024-6670 underscores the urgency for organizations to review their user configurations and implement the necessary patches.
- CVE-2024-6672: Slightly less severe with a CVSS score of 8.8, this vulnerability allows a low-privileged authenticated attacker to escalate their privileges by modifying the password of a privileged user. Exploiting this flaw could enable attackers to gain unauthorized control over the system, leading to potentially catastrophic consequences.
These vulnerabilities were discovered and reported by Sina Kheirkhah of the Summoning Team, in collaboration with the Trend Micro Zero Day Initiative.
Progress WhatsUp Gold users are strongly encouraged to upgrade to the latest version—2024.0.0 or newer—to mitigate these risks.
The importance of this upgrade cannot be overstated. As the threat landscape continues to evolve, outdated software versions become prime targets for cybercriminals. The fact that earlier this month, threat actors attempted to exploit a different, yet related, vulnerability (CVE-2024-4885) in WhatsUp Gold underscores the potential danger of leaving systems unpatched.
