CVE-2024-8785 – This vulnerability allows remote unauthenticate... (How to Fix)

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to modify registry values in WhatsUp Gold installations, potentially enabling system compromise. It affects WhatsUp Gold versions before 2024.0.1. Attackers can leverage NmAPI.exe to write to the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\ registry path.

💻 Affected Systems

Products:

WhatsUp Gold

Versions: All versions before 2024.0.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations where NmAPI.exe is accessible remotely without authentication.

📦 What is this software?

Whatsup Gold by Progress

View all CVEs affecting Whatsup Gold →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through registry manipulation leading to remote code execution, persistence mechanisms, or disabling security controls.

🟠

Likely Case

Privilege escalation, service disruption, or installation of backdoors through registry modification.

🟢

If Mitigated

Limited impact if network segmentation and access controls prevent unauthorized access to WhatsUp Gold services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.0.1 or later

Vendor Advisory: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024

Restart Required: No

Instructions:

1. Download WhatsUp Gold 2024.0.1 or later from Progress website. 2. Run the installer to upgrade. 3. Verify installation completes successfully.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to WhatsUp Gold services to trusted IPs only

Use firewall rules to block external access to WhatsUp Gold ports (typically 80, 443, 8080)

Service Hardening

Windows

Configure NmAPI.exe to require authentication or restrict its permissions

Review and modify NmAPI.exe service configuration to enforce authentication

🧯 If You Can't Patch

Implement strict network segmentation to isolate WhatsUp Gold from untrusted networks
Deploy application control to prevent unauthorized execution of NmAPI.exe modifications

🔍 How to Verify

Check if Vulnerable:

Check WhatsUp Gold version in application interface or registry at HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\WhatsUp Gold\Version

Check Version:

reg query "HKLM\SOFTWARE\WOW6432Node\Ipswitch\WhatsUp Gold" /v Version

Verify Fix Applied:

Confirm version is 2024.0.1 or higher and test that NmAPI.exe no longer accepts unauthenticated registry modification requests

📡 Detection & Monitoring

Log Indicators:

Unusual registry modification events in Windows Security logs
Access to NmAPI.exe from unauthorized sources

Network Indicators:

Unexpected connections to WhatsUp Gold service ports from external IPs
Traffic patterns indicating registry manipulation attempts

SIEM Query:

source="Windows Security" EventID=4657 OR EventID=4663 AND ObjectName="*NmAPI.exe*" OR "*Ipswitch*"

📊 Metadata

CVE ID: CVE-2024-8785

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-648

Published: December 2, 2024

Last Updated: December 9, 2024

🔗 References

https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024 Vendor Advisory
https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html Release Notes
https://www.progress.com/network-monitoring Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8785, you might also want to check these: