Summary:
A path traversal vulnerability that leads to a critical and unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2024-4885 reported on April 24th, 2024, affecting Progress WhatsUp Gold versions 23.1.2 and earlier has been actively exploited by threat actors since August 1, 2024. Zero Day Initiative (ZDI) publish a related advisory on July 3rd, 2024. This vulnerability, rated 9.8 on the CVSS v3 scale, permits unauthenticated remote attackers to execute arbitrary code on vulnerable systems with the privileges of the 'iisapppool\nmconsole' user. The exploitation leverages the '/NmAPI/RecurringReport' endpoint to deliver malicious payloads, potentially enabling attackers to establish persistent access through webshells. WhatsUp Gold provides complete visibility into application performance and network devices and devices in the cloud/on-premises. WhatsUp Gold is a legitimate service, however, when utilized with malicious intention, it acts as a form of C2 communication where you can manage all sorts of victims and their credentials remotely. The exact final payload delivered after this initial access technique is unknown, however establishing persistence on the network potentially indicates credential harvesting or ransomware operations.

Security Officer Comments:
The emergence of active exploitation attempts targeting the recently patched CVE-2024-4885 in Progress WhatsUp Gold underscores the critical importance of timely implementation of security updates. Organizations utilizing WhatsUp Gold versions prior to 23.1.3 are strongly advised to prioritize patching or implementing mitigating controls. The availability of proof-of-concept exploit code exacerbates the threat severity, as it lowers the technical barrier for malicious actors. Given the severity of the vulnerability and the observed exploitation activity, security teams should enhance threat detection capabilities to identify potential indicators of compromise associated with this attack vector. Network traffic analysis, endpoint detection and response (EDR), and intrusion detection systems (IDS) should be configured to detect suspicious activity related to the '/NmAPI/RecurringReport' endpoint and other relevant indicators. Additionally, organizations should implement strict access controls, including network segmentation and firewall rules, to limit exposure of WhatsUp Gold instances to the internet. Regular vulnerability assessments and penetration testing can help identify and remediate vulnerabilities before exploitation.

Suggested Corrections:
To protect against exploitation of CVE-2024-4885, immediate and comprehensive measures should be implemented. Prioritizing the installation of the Progress WhatsUp Gold 23.1.3 patch is paramount to eliminate the vulnerability entirely. If patching is infeasible, implementing robust mitigation strategies is crucial. Network segmentation can isolate the WhatsUp Gold environment, restricting external access and limiting potential damage. Enforcing strict access controls, such as requiring strong authentication and authorization, can hinder unauthorized access. Additionally, implementing firewall rules to block incoming traffic on ports 9642 and 9643, except for trusted IP addresses, can effectively protect the '/NmAPI/RecurringReport' endpoint. Continuous monitoring of system logs and network traffic for anomalies indicative of exploitation attempts is an essential aspect of security posture. Regular vulnerability assessments and penetration testing can identify and address potential weaknesses in the environment.

Link(s):
https://www.bleepingcomputer.com/news/security/critical-progress-whatsup-rce-flaw-now-under-active-exploitation/

https://summoning.team/blog/progress-whatsup-gold-rce-cve-2024-4885/