Skip to main content

Progress Software Releases Security Advisory for WhatsUp Gold

The advisory addresses two critical and four high severity vulnerabilities

Threat ID:
CC-4556
Threat Severity:
Medium
Published:
30 September 2024 3:37 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The advisory addresses two critical and four high severity vulnerabilities

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 2024.0.1

Progress Software WhatsUp Gold

Threat details

Proof-of-concept code released for CVE-2024-8785

Proof-of-concept code for CVE-2024-8785 has been released. Exploitation is considered more likely.

Introduction

Progress Software has released an advisory that addresses 6 vulnerabilities in the WhatsUp Gold system, including 2 with a CVSSv3 score of 9.8. WhatsUp Gold is a network availability and performance monitoring package.

Vulnerability details have been added below. 

Threat updates

Date Update
4 Dec 2024 CVE information and proof-of-concept status added.

Remediation advice

Affected organisations are encouraged to review Progress Software's advisory WhatsUp Gold Security Bulletin– September 2024 and apply the relevant updates.

CVE Vulnerabilities

Status Published

CVE-2024-46908

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
Status Published

CVE-2024-46907

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
Status Published

CVE-2024-46906

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
Status Published

CVE-2024-46905

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
Status Published

CVE-2024-46909

In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.
Status Published

CVE-2024-8785

In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

Last edited: 4 December 2024 3:49 pm