CVE-2024-4885
📋 TL;DR
An unauthenticated remote code execution vulnerability in Progress WhatsUp Gold allows attackers to execute arbitrary commands with IIS application pool privileges. This affects WhatsUp Gold versions before 2023.1.3, potentially compromising network monitoring systems.
💻 Affected Systems
- Progress WhatsUp Gold
📦 What is this software?
Whatsup Gold by Progress
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal credentials, pivot to other systems, and disrupt network monitoring operations.
Likely Case
Attackers gain initial foothold on the network monitoring system, install backdoors, and use it as a pivot point for lateral movement within the network.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts.
🎯 Exploit Status
The vulnerability is unauthenticated and has a high CVSS score of 9.8, making it attractive for exploitation. CISA has added it to their Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.1.3 and later
Vendor Advisory: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024
Restart Required: Yes
Instructions:
1. Download WhatsUp Gold version 2023.1.3 or later from the Progress website. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart the WhatsUp Gold service and IIS. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
windowsRestrict network access to WhatsUp Gold to only trusted IP addresses and networks
Use Windows Firewall: New-NetFirewallRule -DisplayName "Block WhatsUp Gold External" -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress Any -Action Block
Application Pool Isolation
windowsRun WhatsUp Gold in a dedicated application pool with minimal privileges
In IIS Manager: 1. Create new application pool. 2. Set identity to custom account with minimal privileges. 3. Assign WhatsUp Gold site to this pool.
🧯 If You Can't Patch
- Immediately isolate the WhatsUp Gold server from the internet and restrict internal network access
- Implement strict network monitoring and alerting for suspicious activity targeting the WhatsUp Gold server
🔍 How to Verify
Check if Vulnerable:
Check the WhatsUp Gold version in the web interface under Help > About, or examine the installed version in Windows Programs and Features.Check Version:
In WhatsUp Gold web interface: Navigate to Help > About, or check registry: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Ipswitch\WhatsUp\VersionVerify Fix Applied:
Verify the version is 2023.1.3 or later and test that the Export.GetFileWithoutZip functionality works properly without allowing unauthorized access.📡 Detection & Monitoring
Log Indicators:
- Unusual access to Export.GetFileWithoutZip endpoints in IIS logs
- Suspicious process creation events from w3wp.exe (IIS worker process)
- Failed authentication attempts followed by successful exploitation
Network Indicators:
- Unusual outbound connections from the WhatsUp Gold server
- Traffic to known malicious IPs or domains from the server
- Unexpected network scanning originating from the server
SIEM Query:
source="iis_logs" AND (uri="*Export.GetFileWithoutZip*" OR status=200 AND uri="*/export/*") | stats count by src_ip, uri🔗 References
- https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024
- https://www.progress.com/network-monitoring
- https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024
- https://www.progress.com/network-monitoring
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4885
