CVE-2024-4885
published 2024-06-25CVE-2024-4885: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-24
Exploited in the wild
EPSS
99.29%
99.9th percentile
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The
WhatsUp.ExportUtilities.Export.GetFileWithoutZip
allows execution of commands with iisapppool\nmconsole privileges.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | whatsup_gold | < 23.1.3 | 23.1.3 |
| progress_software_corporation | whatsup_gold | >= 2023.1.0 < 2023.1.3 | 2023.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Use the following Trend Vision One / Endpoint Activity Data query to hunt for suspicious NmPoller.exe activity: "nmpoller.exe" AND eventSubId:(2 OR 101 OR 109 OR 901) ↗
- →The vulnerable endpoint is WhatsUp.ExportUtilities.Export.GetFileWithoutZip, which allows unauthenticated RCE with iisapppool\nmconsole privileges. Look for unauthenticated HTTP requests targeting this endpoint. ↗
- →Exploitation of CVE-2024-4885 in the wild was first observed December 6, 2024, with 8 unique malicious IPs observed through March 2, 2025, predominantly sourced from Hong Kong, Russia, and Brazil. ↗
- ·The IOCs (URLs, IPs, dropped files) observed in the wild are primarily associated with CVE-2024-6670/6671 exploitation campaigns, not CVE-2024-4885 directly. The sources reference CVE-2024-4885 as a related WhatsUp Gold RCE vulnerability (CVSS 9.8, fixed June 2024) that attracted attacker attention, but the detailed payload IOCs are from the August 2024 CVE-2024-6670/6671 campaign. Defenders should treat these IOCs as indicative of the broader WhatsUp Gold attack ecosystem. ↗
- ·CVE-2024-4885 affects WhatsUp Gold versions released before 2023.1.3. Exploitation executes with iisapppool\nmconsole privileges, not SYSTEM-level, which may affect lateral movement capability assessments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qcj6-wq2r-c3xh: In WhatsUp Gold versions released before 2023
ghsa_unreviewed·2024-06-25
CVE-2024-4885 [CRITICAL] CWE-22 GHSA-qcj6-wq2r-c3xh: In WhatsUp Gold versions released before 2023
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The
WhatsUp.ExportUtilities.Export.GetFileWithoutZip
allows execution of commands with iisapppool\nmconsole privileges.
VulnCheck
Progress WhatsUp Gold Path Traversal Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-4885 [CRITICAL] CWE-22 Progress WhatsUp Gold Path Traversal Vulnerability
Progress WhatsUp Gold Path Traversal Vulnerability
Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.
Affected: Progress WhatsUp Gold
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-08-06&host_type=src&vulnerability=cve-2024-4885; https://x.com/Shadowserver/status/1821121075704647731; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-08-08&host_type=src&vulnerability=cve-2024-4885; https://dashboard.shadowserver.org/statistics/hone
CISA
Progress WhatsUp Gold Path Traversal Vulnerability
cisa·2025-03-03·CVSS 9.8
CVE-2024-4885 [CRITICAL] CWE-22 Progress WhatsUp Gold Path Traversal Vulnerability
Vulnerability: Progress WhatsUp Gold Path Traversal Vulnerability
Affected: Progress WhatsUp Gold
Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024 ; https://nvd.nist.gov/vuln/detail/CVE-2024-4885
Remediation Due Date: 2025-03-24
Suricata
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M2 - Outbound Admin Session Attempt (CVE-2024-4885)
suricata·2024-09-18·CVSS 9.8
CVE-2024-4885 [CRITICAL] ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M2 - Outbound Admin Session Attempt (CVE-2024-4885)
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M2 - Outbound Admin Session Attempt (CVE-2024-4885)
Rule: alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M2 - Outbound Admin Session Attempt (CVE-2024-4885)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Session/Login/?sUsername=admin&sPassword="; fast_pattern; startswith; reference:url,summoning.team/blog/progress-whatsup-gold-rce-cve-2024-4885/; reference:cve,2024-4885; classtype:attempted-admin; sid:2055952; rev:1; metadata:affected_product WhatsUp_Gold, attack_target Server, tls_state plaintext, created_at 2024_09_18, cve CVE_2024_4885, deployment P
Suricata
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M3 - Payload Retrieval Attempt (CVE-2024-4885)
suricata·2024-09-18·CVSS 9.8
CVE-2024-4885 [CRITICAL] ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M3 - Payload Retrieval Attempt (CVE-2024-4885)
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M3 - Payload Retrieval Attempt (CVE-2024-4885)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M3 - Payload Retrieval Attempt (CVE-2024-4885)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/NmConsole/Data/ExportedReports/"; fast_pattern; startswith; content:".aspx"; endswith; reference:url,summoning.team/blog/progress-whatsup-gold-rce-cve-2024-4885/; reference:cve,2024-4885; classtype:attempted-admin; sid:2055958; rev:1; metadata:affected_product WhatsUp_Gold, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_18, cve CVE_2024_4885, depl
Suricata
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M1 - Payload Delivery (CVE-2024-4885)
suricata·2024-09-18·CVSS 9.8
CVE-2024-4885 [CRITICAL] ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M1 - Payload Delivery (CVE-2024-4885)
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M1 - Payload Delivery (CVE-2024-4885)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution Attempt M1 - Payload Delivery (CVE-2024-4885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/NmAPI/RecurringReport"; fast_pattern; http.content_type; content:"text/xml|3b 20|charset=utf-8"; http.header; header_lowercase; content:"soapaction|3a 20|http|3a 2f 2f|tempuri.org|2f|irecurringreportservices|2f|testrecurringreport"; http.request_body; content:"|3c|a|3a|ZipEnabled|3e|false|3c 2f|a|3a|ZipEnabled|3e|"; content:"|22|renderType|22 3a 22|aspx|22|"; reference:url,summon
Nuclei
Progress Software WhatsUp Gold GetFileWithoutZip Directory Traversal - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-4885 [CRITICAL] Progress Software WhatsUp Gold GetFileWithoutZip Directory Traversal - Remote Code Execution
Progress Software WhatsUp Gold GetFileWithoutZip Directory Traversal - Remote Code Execution
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of GetFileWithoutZip method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.
Template:
id: CVE-2024-4885
info:
name: Progress Software WhatsUp Gold GetFileWithoutZip Directory Traversal - Remote Code Execution
author: SinSinology,iamnoooob,rootxharsh,pdresearch
severity: critical
description:
Checkpoint
10th March – Threat Intelligence Report
blogs_checkpoint·2025-03-10
CVE-2025-22224 10th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The City of Mission, Texas, has declared a local state of emergency following a severe cybersecurity incident that threatens to expose protected personal information, health records, and other critical data managed by city departments. The emergency declaration was issued by Mayor Norie Gonzalez Garza on March 4, 2025, after
Greynoiseio
GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities
blogs_greynoiseio·2025-03-04·CVSS 8.8
[HIGH] GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Progress urges admins to patch critical WhatsUp Gold bugs ASAP
blogs_bleepingcomputer·2024-09-27·CVSS 8.8
[HIGH] Progress urges admins to patch critical WhatsUp Gold bugs ASAP
## Progress urges admins to patch critical WhatsUp Gold bugs ASAP
## Sergiu Gatlan
Progress Software warned customers to patch multiple critical and high-severity vulnerabilities in its WhatsUp Gold network monitoring tool as soon as possible.
However, even though it released WhatsUp Gold 24.0.1, which addressed the issues last Friday and published an advisory on Tuesday, the company has yet to provide any details regarding these flaws.
"The WhatsUp Gold team has identified six vulnerabilities that exist in versions below 24.0.1," Progress warned customers this week.
"We are reaching out to all WhatsUp Gold customers to upgrade their environment as soon as possible to version 24.0.1, released on Friday, September 20. If you are running a version older than 24.0.1 and you do not upgrad
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sugges
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
# Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray
2024/09/12
Read time: ( words)
Save to Folio
#### Summary
- Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
- These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
- The timeline of events su
Bleepingcomputer
Hackers targeting WhatsUp Gold with public exploit since August
blogs_bleepingcomputer·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Hackers targeting WhatsUp Gold with public exploit since August
## Hackers targeting WhatsUp Gold with public exploit since August
## Bill Toulas
Hackers have been leveraging publicly available exploit code for two critical vulnerabilities in the WhatsUp Gold network availability and performance monitoring solution from Progress Software.
The two flaws exploited in attacks since August 30 are SQL injection vulnerabilities tracked as CVE-2024-6670 and CVE-2024-6671 that allow retrieving encrypted passwords without authentication.
Despite the vendor addressing the security issues more than two weeks ago, many organizations still have to update the software and threat actors are capitalizing on the delay.
Progress Software released security updates to address the problems on August 16 and added instructions on how to detect potential compromise in a
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray 2024/09/12 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events suggests
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits y vulnerabilidades
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sugge
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Ausnutzung von Schwachstellen
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sug
Bleepingcomputer
Critical Progress WhatsUp RCE flaw now under active exploitation
blogs_bleepingcomputer·2024-08-07·CVSS 9.8
CVE-2024-4885 [CRITICAL] Critical Progress WhatsUp RCE flaw now under active exploitation
## Critical Progress WhatsUp RCE flaw now under active exploitation
## Bill Toulas
Threat actors are actively attempting to exploit a recently fixed Progress WhatsUp Gold remote code execution vulnerability on exposed servers for initial access to corporate networks.
The vulnerability leveraged in these attacks is CVE-2024-4885 , a critical-severity (CVSS v3 score: 9.8) unauthenticated remote code execution flaw impacting Progress WhatsUp Gold 23.1.2 and older.
Proof-of-concept (PoC) exploits for CVE-2024-4885 are publicly available that target exposed WhatsUp Gold '/NmAPI/RecurringReport' endpoints.
Threat monitoring organization Shadowserver Foundation reports that the attempts started on August 1, 2024, coming from six distinct IP addresses.
## The CVE-2024-4885 RCE
Progress What
Greynoiseio
NoiseLetter August 2024
blogs_greynoiseio
NoiseLetter August 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024https://www.progress.com/network-monitoringhttps://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024https://www.progress.com/network-monitoringhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4885
2024-06-25
Published
2025-03-03
Added to CISA KEV
Exploited in the wild