CVE-2024-4883
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on WhatsUp Gold systems through the NmApi.exe component. Attackers can achieve remote code execution as a service account, potentially gaining full control of affected systems. All WhatsUp Gold installations before version 2023.1.3 are vulnerable.
💻 Affected Systems
- Progress WhatsUp Gold
📦 What is this software?
Whatsup Gold by Progress
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, and maintain persistent access to the network.
Likely Case
Attackers deploy ransomware, cryptocurrency miners, or backdoors to maintain access for future attacks.
If Mitigated
Limited impact due to network segmentation, strict firewall rules, and immediate patching preventing exploitation.
🎯 Exploit Status
The vulnerability requires no authentication and appears to be straightforward to exploit based on the CVSS score and description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.1.3 and later
Vendor Advisory: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024
Restart Required: Yes
Instructions:
1. Download WhatsUp Gold version 2023.1.3 or later from Progress website. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart the WhatsUp Gold service and verify functionality.
🔧 Temporary Workarounds
Block NmApi.exe Network Access
windowsRestrict network access to the NmApi.exe component using firewall rules
Windows Firewall: New-NetFirewallRule -DisplayName "Block NmApi" -Direction Inbound -Program "C:\Program Files\WhatsUp\NmApi.exe" -Action Block
Disable Unnecessary Services
windowsTemporarily disable the vulnerable NmApi service if not required
sc stop "WhatsUp Gold NmApi"
sc config "WhatsUp Gold NmApi" start= disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WhatsUp Gold systems from internet and other network segments
- Deploy intrusion detection/prevention systems with rules to detect and block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WhatsUp Gold version in the web interface under Help > About, or examine the installed version in Windows Programs and Features.Check Version:
In WhatsUp Gold web interface: Navigate to Help > About, or check Windows registry: reg query "HKLM\SOFTWARE\Progress\WhatsUp Gold" /v VersionVerify Fix Applied:
Verify version is 2023.1.3 or higher and test that NmApi.exe functionality still works for legitimate purposes.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from NmApi.exe
- Suspicious network connections to NmApi.exe port
- Failed authentication attempts followed by successful exploitation
Network Indicators:
- Unusual traffic patterns to/from WhatsUp Gold NmApi port
- Exploit kit traffic patterns
- Command and control beaconing from WhatsUp Gold system
SIEM Query:
source="*whatsup*" AND (process_name="NmApi.exe" AND (parent_process!="expected_parent" OR command_line CONTAINS "suspicious"))