Progress Software has released another round of updates to address six security flaws in WhatsUp Gold, including two critical vulnerabilities.
The issues, the company said, have been resolved in version 24.0.1 released on September 20, 2024. The company has yet to release any details about what the flaws are other than listing their CVE identifiers -
- CVE-2024-46905 (CVSS score: 8.8)
- CVE-2024-46906 (CVSS score: 8.8)
- CVE-2024-46907 (CVSS score: 8.8)
- CVE-2024-46908 (CVSS score: 8.8)
- CVE-2024-46909 (CVSS score: 9.8), and
- CVE-2024-8785 (CVSS score: 9.8)
Security researcher Sina Kheirkhah of Summoning Team has been credited with discovering and reporting the first four flaws. Andy Niu of Trend Micro has been acknowledged for CVE-2024-46909, while Tenable has been credited for CVE-2024-8785.
It's worth noting that Trend Micro recently reported that threat actors are actively exploiting proof-of-concept (PoC) exploits for other recently disclosed security flaws in WhatsUp Gold to conduct opportunistic attacks.
Previously, the Shadowserver Foundation said it had observed exploitation attempts against CVE-2024-4885 (CVSS score: 9.8), another critical bug in WhatsUp Gold that was resolved by Progress in June 2024.
WhatsUp Gold Customers are recommended to apply the latest fixes as soon as possible to mitigate potential threats.
Update
A proof-of-concept (PoC) exploit code for CVE-2024-8785 has now been released by Tenable, making it crucial that system administrators apply the latest patches as soon as possible.
"A registry overwrite remote code execution vulnerability exists in NmAPI.exe in WhatsUp Gold versions prior to 24.0.1," the company said. "An unauthenticated remote attacker could leverage this vulnerability to achieve remote code execution on the affected system."
(The story was updated after publication on December 4, 2024, to include information related to the public availability of PoC for CVE-2024-8785.)