CVE-2024-6670
published 2024-08-29CVE-2024-6670: In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-07
Exploited in the wild
EPSS
94.66%
99.8th percentile
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | whatsup_gold | < 24.0 | 24.0 |
| progress_software_corporation | whatsup_gold | >= 2023.1.0 < 2024.0.0 | 2024.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
urlhxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe?language=en&app=61021689825303726412222891579678345108&hostname=hxxp://185.123.100[.]160↗
- →Use the following Trend Vision One / Endpoint Activity Data query to hunt for suspicious NmPoller.exe activity: "nmpoller.exe" AND eventSubId:(2 OR 101 OR 109 OR 901) ↗
- →Detect the presence of ftpd32.exe in C:\programdata\ as a dropped RAT payload associated with post-exploitation activity following CVE-2024-6670 exploitation. ↗
- →The Metasploit module auxiliary/admin/http/whatsup_gold_sqli.rb exploits CVE-2024-6670 by overwriting the password of an existing WhatsUp Gold user (e.g., the default admin account) via SQL injection. Detect exploitation attempts targeting WhatsUp Gold HTTP endpoints. ↗
- ·The exploit (as demonstrated by the public PoC) overwrites the administrator password rather than simply reading it, enabling full account takeover. Detection should account for unexpected password changes on admin accounts, not just data exfiltration. ↗
- ·NmPoller.exe process monitoring will also surface benign events such as product restarts and daily log file creation; baseline normal activity before alerting on all child process events. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Progress WhatsUp Gold SQL Injection Vulnerability
cisa·2024-09-16·CVSS 9.8
CVE-2024-6670 [CRITICAL] CWE-89 Progress WhatsUp Gold SQL Injection Vulnerability
Vulnerability: Progress WhatsUp Gold SQL Injection Vulnerability
Affected: Progress WhatsUp Gold
Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 ; https://nvd.nist.gov/vuln/detail/CVE-2024-6670
Remediation Due Date: 2024-10-07
GHSA
GHSA-x5hw-48mf-cq3m: In WhatsUp Gold versions released before 2024
ghsa_unreviewed·2024-08-30
CVE-2024-6670 [CRITICAL] CWE-89 GHSA-x5hw-48mf-cq3m: In WhatsUp Gold versions released before 2024
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
VulnCheck
Progress WhatsUp Gold SQL Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-6670 [CRITICAL] CWE-89 Progress WhatsUp Gold SQL Injection Vulnerability
Progress WhatsUp Gold SQL Injection Vulnerability
Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user.
Affected: Progress WhatsUp Gold
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-20&host_type=src&vulnerability=cve-2024-6670; https://dashboard.shadowserver.org/sta
Suricata
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth Password Encrypt Primitive (CVE-2024-6670)
suricata·2024-09-19·CVSS 9.8
CVE-2024-6670 [CRITICAL] ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth Password Encrypt Primitive (CVE-2024-6670)
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth Password Encrypt Primitive (CVE-2024-6670)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth Password Encrypt Primitive (CVE-2024-6670)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/NmConsole/WugSystemAppSettings/JMXSecurity"; fast_pattern; startswith; http.request_body; content:"|22|KeyStorePassword|22|"; content:"|22|TrustStorePassword|22|"; reference:url,summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670/; reference:cve,2024-6670; classtype:attempted-admin; sid:2055982; rev:1; metadata:affected_product WhatsUp_Gold, attack_target Server, tls_state plaintext, created_at 2024_09_19, cve CVE_2024_6670, deployment Perimeter, deployment Internal, p
Suricata
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold HasErrors SQL Injection Authentication Bypass (CVE-2024-6670)
suricata·2024-09-19·CVSS 9.8
CVE-2024-6670 [CRITICAL] ET WEB_SPECIFIC_APPS Progress WhatsUp Gold HasErrors SQL Injection Authentication Bypass (CVE-2024-6670)
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold HasErrors SQL Injection Authentication Bypass (CVE-2024-6670)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold HasErrors SQL Injection Authentication Bypass (CVE-2024-6670)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/NmConsole/Platform/PerformanceMonitorErrors/HasErrors"; fast_pattern; startswith; http.request_body; content:"|22|classId|22 3a 22|"; pcre:"/^[^\x22]*(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f
Metasploit
WhatsUp Gold SQL Injection (CVE-2024-6670)
metasploit·CVSS 9.8
CVE-2024-6670 [CRITICAL] WhatsUp Gold SQL Injection (CVE-2024-6670)
WhatsUp Gold SQL Injection (CVE-2024-6670)
This module exploits a SQL injection vulnerability in WhatsUp Gold, by changing the password of an existing user (such as of the default admin account) to an attacker-controlled one. WhatsUp Gold versions < v24.0.0 are affected.
Nuclei
WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-6670 [CRITICAL] WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
Template:
id: CVE-2024-6670
info:
name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
author: DhiyaneshDK,princechaddha
severity: critical
description: |
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
impact: |
Unauthenticated attackers can exploit SQL injection to retrieve encrypted user passwords, modify admin credentials, and achieve authentication bypass for full system access.
remediation: |
Update WhatsUp Gold to version 2024.0.0 or later to
Wiz
Crying Out Cloud - October 2024 Newsletter | Wiz
blogs_wiz·2024-10-01·CVSS 9.0
CVE-2024-0132 [CRITICAL] Crying Out Cloud - October 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected package to the latest version 1.16.2, while focusing on container hosts that might run untrusted container images.
According to Wiz data, 33% of cloud environments are impacted by CVE-2024-0132.
Learn more in our blog .
## 🐞 High Profile Vulnerab
Bleepingcomputer
Progress urges admins to patch critical WhatsUp Gold bugs ASAP
blogs_bleepingcomputer·2024-09-27·CVSS 8.8
[HIGH] Progress urges admins to patch critical WhatsUp Gold bugs ASAP
## Progress urges admins to patch critical WhatsUp Gold bugs ASAP
## Sergiu Gatlan
Progress Software warned customers to patch multiple critical and high-severity vulnerabilities in its WhatsUp Gold network monitoring tool as soon as possible.
However, even though it released WhatsUp Gold 24.0.1, which addressed the issues last Friday and published an advisory on Tuesday, the company has yet to provide any details regarding these flaws.
"The WhatsUp Gold team has identified six vulnerabilities that exist in versions below 24.0.1," Progress warned customers this week.
"We are reaching out to all WhatsUp Gold customers to upgrade their environment as soon as possible to version 24.0.1, released on Friday, September 20. If you are running a version older than 24.0.1 and you do not upgrad
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sugges
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
# Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray
2024/09/12
Read time: ( words)
Save to Folio
#### Summary
- Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
- These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
- The timeline of events su
Bleepingcomputer
Hackers targeting WhatsUp Gold with public exploit since August
blogs_bleepingcomputer·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Hackers targeting WhatsUp Gold with public exploit since August
## Hackers targeting WhatsUp Gold with public exploit since August
## Bill Toulas
Hackers have been leveraging publicly available exploit code for two critical vulnerabilities in the WhatsUp Gold network availability and performance monitoring solution from Progress Software.
The two flaws exploited in attacks since August 30 are SQL injection vulnerabilities tracked as CVE-2024-6670 and CVE-2024-6671 that allow retrieving encrypted passwords without authentication.
Despite the vendor addressing the security issues more than two weeks ago, many organizations still have to update the software and threat actors are capitalizing on the delay.
Progress Software released security updates to address the problems on August 16 and added instructions on how to detect potential compromise in a
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray 2024/09/12 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events suggests
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits y vulnerabilidades
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sugge
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Ausnutzung von Schwachstellen
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sug
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-08-29
Published
2024-09-16
Added to CISA KEV
Exploited in the wild