A essential safety flaw impacting Progress Software program WhatsUp Gold is seeing energetic exploitation makes an attempt, making it important that customers transfer shortly to use the newest.
The vulnerability in query is CVE-2024-4885 (CVSS rating: 9.8), an unauthenticated distant code execution bug impacting variations of the community monitoring software launched earlier than 2023.1.3.
“The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppoolnmconsole privileges,” the corporate mentioned in an advisory launched in late June 2024.
In line with safety researcher Sina Kheirkhah of the Summoning Workforce, the flaw resides within the implementation of the GetFileWithoutZip technique, which fails to carry out sufficient validation of user-supplied paths previous to its use.
An attacker might reap the benefits of this conduct to execute code within the context of the service account. A proof-of-concept (PoC) exploit has since been launched by Kheirkhah.
The Shadowserver Basis mentioned it has noticed exploitation makes an attempt in opposition to the flaw since August 1, 2024. “Starting Aug 1st, we see /NmAPI/RecurringReport CVE-2024-4885 exploitation callback attempts (so far 6 src IPs),” it mentioned in a submit on X.
WhatsUp Gold model 2023.1.3 addresses two extra essential flaws CVE-2024-4883 and CVE-2024-4884 (CVSS scores: 9.8), each of which additionally allow unauthenticated distant code execution by NmApi.exe and Apm.UI.Areas.APM.Controllers.CommunityController, respectively.
Additionally addressed by Progress Software program is a high-severity privilege escalation difficulty (CVE-2024-5009, CVSS rating: 8.4) that enables native attackers to raise their privileges on affected installations by making the most of the SetAdminPassword technique.
With flaws in Progress Software program recurrently being abused by risk actors for malicious functions, it is important that admins apply the newest safety updates and permit visitors solely from trusted IP addresses to mitigate potential threats.
