Exploit Released for Critical WhatsUp Gold RCE Flaw, Patch Now

Summary:
Researchers have disclosed a PoC exploit for CVE-2024-8785, a critical remote code execution vulnerability in Progress WhatsUp Gold, a widely used enterprise network monitoring tool. The vulnerability stems from the improper use of a privileged API, specifically the NmAPI.exe endpoint, which enables unauthenticated remote attackers to manipulate the Windows Registry. By exploiting this flaw, attackers can modify or create registry values under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch.

When the Ipswitch Service Control Manager service restarts, such as after a system reboot or Windows update, it reads configuration files from the attacker-controlled location. These files allow the attacker to specify processes to be executed, including malicious executables. This gives the attacker a pathway to run arbitrary code on the compromised system.

Analyst Comments:
The vulnerability impacts WhatsUp Gold versions prior to 24.0.1. Tenable discovered and reported the issue to Progress Software in early September 2024. Progress subsequently released a patch on September 20, 2024, addressing this and other internal vulnerabilities. Users are strongly advised to update to version 24.0.1 or later to mitigate the risk. Failure to patch could expose organizations to potential attacks, as cybercriminals have repeatedly exploited publicly available PoC exploits for WhatsUp Gold vulnerabilities in the past. Timely remediation is critical to secure affected environments and prevent unauthorized access or system compromise.

Suggested Corrections:
CVE-2024-8785 affects WhatsUp Gold versions prior to version 24.0.1. The vulnerability was discovered and reported by Tenable to Progress Software in early September 2024. The company released fixes for it (as well as other internally-discovered vulnerabilities) on September 20 and urged users to upgrade their environment to a fixed version (v24.0.1) as soon as possible.

Link(s):
https://www.helpnetsecurity.com/2024/12/04/poc-exploit-cve-2024-8785-whatsup-gold/


https://www.tenable.com/security/research/tra-2024-48


https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024