cbcvebase.
CVE-2024-4883
published 2024-06-25

CVE-2024-4883: In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
64.78%
99.1th percentile
In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.

Affected

2 ranges
VendorProductVersion rangeFixed in
progresswhatsup_gold< 23.1.323.1.3
progress_software_corporationwhatsup_gold>= 2023.1.0 < 2023.1.32023.1.3

Detection & IOCsextracted from sources · hover to see the quote

port9643
processNmApi.exe
path\WhatsUp\html\NmConsole\
snort
alert tcp any any -> $HOME_NET 9643 (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)"; flow:established,to_server; content:"|00|W|00|h|00|a|00|t|00|s|00|U|00|p|00 5c 00|h|00|t|00|m|00|l|00 5c 00|N|00|m|00|C|00|o|00|n|00|s|00|o|00|l|00|e|00 5c 00|"; fast_pattern; pcre:"/^(?:[\x20-\x7e]\x00)+\x2e\x00a\x00s\x00p\x00x\x00/Ri"; reference:url,summoning.team/blog/progress-whatsup-gold-writedatafile-cve-2024-4883-rce/; reference:cve,2024-4883; classtype:web-application-activity; sid:2055953; rev:1; metadata:affected_product WhatsUp_Gold, created_at 2024_09_18, cve CVE_2024_4883, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_09_18, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Monitor TCP traffic to port 9643 (NmApi.exe service port) for inbound connections containing UTF-16LE encoded path traversal strings targeting the WhatsUp\html\NmConsole\ directory.
  • Use the PCRE pattern to detect UTF-16LE encoded .aspx file extensions in the payload, indicative of a webshell being written via the WriteDataFile directory traversal primitive.
  • The exploit is pre-authentication (unauthenticated attacker); alert on any external source reaching port 9643 on WhatsUp Gold hosts, not just authenticated sessions.
  • ·The Snort/Suricata rule targets $HOME_NET on port 9643; ensure your HOME_NET variable includes all WhatsUp Gold server IPs and that port 9643 is not blocked before the sensor to guarantee coverage.
  • ·The rule is classified under MITRE tactic Discovery (T1083 File_And_Directory_Discovery) but the actual impact is RCE; tune alerting priority accordingly so it is not suppressed as a low-severity discovery event.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.