Progress Software’s WhatsUp Gold, a widely used network monitoring solution, is under active attack due to two critical vulnerabilities (CVE-2024-6670 and CVE-2024-6671). These flaws enable unauthenticated remote code execution (RCE) via SQL injection, allowing attackers to steal encrypted passwords, hijack administrator accounts, and deploy malware. Exploits are already weaponized in the wild, with threat actors leveraging Proof-of-Concept (PoC) code published in late August 2024.
Key Takeaways for Security Leaders
Organizations using WhatsUp Gold must prioritize patching due to active exploitation. CVE-2024-6670 (CVSS 9.8) and CVE-2024-6671 allow SQL injection and RCE via the Active Monitor PowerShell Script feature. Attacks observed since August 30, 2024, deploy RATs like Atera Agent and Splashtop. A patch was released in WhatsUp Gold 2024.0.0 on August 16, and CISA added CVE-2024-6670 to its Known Exploited Vulnerabilities Catalog on September 16. Immediate mitigation includes restricting API access and monitoring NmPoller.exe activity.
Technical Analysis of the Vulnerabilities
The vulnerabilities stem from improper input sanitization in WhatsUp Gold’s HasErrors method and Active Monitor PowerShell Script functionality. Attackers inject malicious SQL queries to overwrite administrator passwords or execute arbitrary PowerShell scripts via NmPoller.exe. Below is a breakdown of the CVEs:
| CVE ID | Type | Impact | Affected Versions |
|---|---|---|---|
| CVE-2024-6670 | SQL Injection | Authentication bypass, RCE | Versions before 2024.0.0 |
| CVE-2024-6671 | SQL Injection | Password retrieval, RCE chain | Versions before 2024.0.0 |
Exploitation Tactics Observed in the Wild
Attackers follow a consistent exploitation flow:
- Initial Access: Unauthenticated HTTP requests to vulnerable endpoints like
/api/v1/admin. - SQL Injection: Malicious payloads exfiltrate encrypted passwords or inject commands.
- RCE Execution: Abuse of
NmPoller.exeto run PowerShell scripts fetching payloads from attacker-controlled servers. - Persistence: Deployment of RATs via
msiexec.exe(e.g., downloading payloads fromhxxps://fedko[.]org).
Detection and Mitigation Strategies
Security teams should monitor for:
- Process Creation:
NmPoller.exespawningpowershell.exeormsiexec.exe. - Network Traffic: Outbound connections to suspicious IPs like
185.123.100.160. - SIEM Rules: Sigma rules available via SOC Prime’s Threat Detection Marketplace.
Remediation Steps
To protect against exploitation:
- Patch Immediately: Upgrade to WhatsUp Gold 2024.0.0 or later.
- Harden Configurations: Disable unnecessary API endpoints and enforce MFA.
- Monitor Anomalies: Deploy SIEM rules to detect suspicious
NmPoller.exeactivity.
Conclusion
The rapid weaponization of these flaws highlights the critical need for prompt patch management. Organizations using legacy versions should assume compromise and conduct forensic reviews. Future attacks may escalate to ransomware deployment, given the observed RAT installations.
