CVE-2024-6671
published 2024-08-29CVE-2024-6671: In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.89%
96.3th percentile
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | whatsup_gold | >= 23.1.0 < 24.0 | 24.0 |
| progress_software_corporation | whatsup_gold | >= 2023.1.0 < 2024.0.0 | 2024.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
urlhxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe?language=en&app=61021689825303726412222891579678345108&hostname=hxxp://185.123.100[.]160↗
- →Monitor process creation events spawned by NmPoller.exe (WhatsUp Gold polling process). Child processes such as powershell.exe or msiexec.exe are highly suspicious and indicate Active Monitor PowerShell Script abuse. ↗
- →Trend Vision One query for detecting suspicious NmPoller.exe activity: search Endpoint Activity Data for nmpoller.exe with eventSubId values 2, 101, 109, or 901. ↗
- →The exploit SQL injection payload targets the DeviceStatisticalMonitors endpoint, injecting into the statisticalMonitorTable parameter to UPDATE ProActiveAlert with the extracted password value from GlobalSettings, using the marker string 'psyduck' to identify exfiltrated data. ↗
- →A second-stage SQL injection payload updates the WebUser table to overwrite the admin password with the extracted encrypted value, enabling authentication bypass. ↗
- →Detect RAT installation attempts via msiexec.exe spawned from NmPoller.exe. Observed RATs include Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote. ↗
- →The regex pattern '"psyduck\d+(,\d+)*"' in HTTP responses from /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds indicates successful SQL injection exfiltration of the encrypted password. ↗
- ·NmPoller.exe can execute PowerShell scripts without launching a separate powershell.exe child process, meaning process-tree-based detections looking for powershell.exe as a child of NmPoller.exe may miss some attack variants. ↗
- ·The Vision One query for nmpoller.exe will also surface benign product restart and daily logfile creation events; analysts must baseline and exclude normal events before alerting. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hfxc-wfwp-6pqv: In WhatsUp Gold versions released before 2024
ghsa_unreviewed·2024-08-30
CVE-2024-6671 [CRITICAL] CWE-89 GHSA-hfxc-wfwp-6pqv: In WhatsUp Gold versions released before 2024
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
VulnCheck
Progress WhatsUp Gold Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2024·CVSS 9.8
CVE-2024-6671 [CRITICAL] Progress WhatsUp Gold Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Progress WhatsUp Gold Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
Affected: Progress WhatsUp Gold
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-02-23&host_type=src&vulnerability=cve-2024-6671; https://dashboard.shadowserver.org/statistics/honeypot/vul
No detection rules found.
Nuclei
WhatsUp Gold GetStatisticalMonitorList SQL Injection - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-6671 [CRITICAL] WhatsUp Gold GetStatisticalMonitorList SQL Injection - Authentication Bypass
WhatsUp Gold GetStatisticalMonitorList SQL Injection - Authentication Bypass
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
Template:
id: CVE-2024-6671
info:
name: WhatsUp Gold GetStatisticalMonitorList SQL Injection - Authentication Bypass
author: daffainfo,jjcho
severity: critical
description: |
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
impact: |
Unauthenticated attackers can exploit SQL injection to retrieve encrypted user passwords, modify admin
Wiz
Crying Out Cloud - October 2024 Newsletter | Wiz
blogs_wiz·2024-10-01·CVSS 9.0
CVE-2024-0132 [CRITICAL] Crying Out Cloud - October 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected package to the latest version 1.16.2, while focusing on container hosts that might run untrusted container images.
According to Wiz data, 33% of cloud environments are impacted by CVE-2024-0132.
Learn more in our blog .
## 🐞 High Profile Vulnerab
Bleepingcomputer
Progress urges admins to patch critical WhatsUp Gold bugs ASAP
blogs_bleepingcomputer·2024-09-27·CVSS 8.8
[HIGH] Progress urges admins to patch critical WhatsUp Gold bugs ASAP
## Progress urges admins to patch critical WhatsUp Gold bugs ASAP
## Sergiu Gatlan
Progress Software warned customers to patch multiple critical and high-severity vulnerabilities in its WhatsUp Gold network monitoring tool as soon as possible.
However, even though it released WhatsUp Gold 24.0.1, which addressed the issues last Friday and published an advisory on Tuesday, the company has yet to provide any details regarding these flaws.
"The WhatsUp Gold team has identified six vulnerabilities that exist in versions below 24.0.1," Progress warned customers this week.
"We are reaching out to all WhatsUp Gold customers to upgrade their environment as soon as possible to version 24.0.1, released on Friday, September 20. If you are running a version older than 24.0.1 and you do not upgrad
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sugges
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
# Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray
2024/09/12
Read time: ( words)
Save to Folio
#### Summary
- Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
- These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
- The timeline of events su
Bleepingcomputer
Hackers targeting WhatsUp Gold with public exploit since August
blogs_bleepingcomputer·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Hackers targeting WhatsUp Gold with public exploit since August
## Hackers targeting WhatsUp Gold with public exploit since August
## Bill Toulas
Hackers have been leveraging publicly available exploit code for two critical vulnerabilities in the WhatsUp Gold network availability and performance monitoring solution from Progress Software.
The two flaws exploited in attacks since August 30 are SQL injection vulnerabilities tracked as CVE-2024-6670 and CVE-2024-6671 that allow retrieving encrypted passwords without authentication.
Despite the vendor addressing the security issues more than two weeks ago, many organizations still have to update the software and threat actors are capitalizing on the delay.
Progress Software released security updates to address the problems on August 16 and added instructions on how to detect potential compromise in a
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits & Vulnerabilities
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray 2024/09/12 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events suggests
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Exploits y vulnerabilidades
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sugge
Trendmicro
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
blogs_trendmicro·2024-09-12·CVSS 9.8
CVE-2024-6670 [CRITICAL] Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Ausnutzung von Schwachstellen
## Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Sep 12, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
The timeline of events sug
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2024-08-29
Published
Exploited in the wild