CVE-2024-4883
published 2024-06-25CVE-2024-4883: In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
64.78%
99.1th percentile
In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | whatsup_gold | < 23.1.3 | 23.1.3 |
| progress_software_corporation | whatsup_gold | >= 2023.1.0 < 2023.1.3 | 2023.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp any any -> $HOME_NET 9643 (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)"; flow:established,to_server; content:"|00|W|00|h|00|a|00|t|00|s|00|U|00|p|00 5c 00|h|00|t|00|m|00|l|00 5c 00|N|00|m|00|C|00|o|00|n|00|s|00|o|00|l|00|e|00 5c 00|"; fast_pattern; pcre:"/^(?:[\x20-\x7e]\x00)+\x2e\x00a\x00s\x00p\x00x\x00/Ri"; reference:url,summoning.team/blog/progress-whatsup-gold-writedatafile-cve-2024-4883-rce/; reference:cve,2024-4883; classtype:web-application-activity; sid:2055953; rev:1; metadata:affected_product WhatsUp_Gold, created_at 2024_09_18, cve CVE_2024_4883, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_09_18, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →Monitor TCP traffic to port 9643 (NmApi.exe service port) for inbound connections containing UTF-16LE encoded path traversal strings targeting the WhatsUp\html\NmConsole\ directory.
- →Use the PCRE pattern to detect UTF-16LE encoded .aspx file extensions in the payload, indicative of a webshell being written via the WriteDataFile directory traversal primitive.
- →The exploit is pre-authentication (unauthenticated attacker); alert on any external source reaching port 9643 on WhatsUp Gold hosts, not just authenticated sessions. ↗
- ·The Snort/Suricata rule targets $HOME_NET on port 9643; ensure your HOME_NET variable includes all WhatsUp Gold server IPs and that port 9643 is not blocked before the sensor to guarantee coverage.
- ·The rule is classified under MITRE tactic Discovery (T1083 File_And_Directory_Discovery) but the actual impact is RCE; tune alerting priority accordingly so it is not suppressed as a low-severity discovery event.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)
suricata·2024-09-18·CVSS 9.8
CVE-2024-4883 [CRITICAL] ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)
Rule: alert tcp any any -> $HOME_NET 9643 (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)"; flow:established,to_server; content:"|00|W|00|h|00|a|00|t|00|s|00|U|00|p|00 5c 00|h|00|t|00|m|00|l|00 5c 00|N|00|m|00|C|00|o|00|n|00|s|00|o|00|l|00|e|00 5c 00|"; fast_pattern; pcre:"/^(?:[\x20-\x7e]\x00)+\x2e\x00a\x00s\x00p\x00x\x00/Ri"; reference:url,summoning.team/blog/progress-whatsup-gold-writedatafile-cve-2024-4883-rce/; reference:cve,2024-4883; classtype:web-application-activity; sid:2055953; rev:1; metadata:affected_product WhatsUp_Gold, created_at 2024_09_18, cve CVE_2024_4883, deployment Perimeter, deployment Internal, con
No public exploits indexed.
No writeups or analysis indexed.
2024-06-25
Published