cbcvebase.
CVE-2024-6671
published 2024-08-29

CVE-2024-6671: In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.89%
96.3th percentile
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

Affected

2 ranges
VendorProductVersion rangeFixed in
progresswhatsup_gold>= 23.1.0 < 24.024.0
progress_software_corporationwhatsup_gold>= 2023.1.0 < 2024.0.02024.0.0

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps://webhook[.]site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837
ip45.227.255.216
urlhxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi
port29742
domainfedko[.]org
urlhxxps://fedko[.]org/wp-includes/ID3/setup.msi
ip185.123.100.160
urlhxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe?language=en&app=61021689825303726412222891579678345108&hostname=hxxp://185.123.100[.]160
pathc:\programdata\a.ps1
pathC:\programdata\ftpd32.exe
pathc:\windows\temp\MSsetup.msi
processNmPoller.exe
commandPOST /NmConsole/Platform/Filter/DeviceStatisticalMonitors HTTP/1.1
path/NmConsole/Platform/Filter/DeviceStatisticalMonitors
path/NmConsole/WugSystemAppSettings/JMXSecurity
path/NmConsole/Platform/Filter/AlertCenterItemsReportThresholds
path/NmConsole/User/LoginAjax
cookieASP.NET_SessionId
othershodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094
  • Monitor process creation events spawned by NmPoller.exe (WhatsUp Gold polling process). Child processes such as powershell.exe or msiexec.exe are highly suspicious and indicate Active Monitor PowerShell Script abuse.
  • Trend Vision One query for detecting suspicious NmPoller.exe activity: search Endpoint Activity Data for nmpoller.exe with eventSubId values 2, 101, 109, or 901.
  • The exploit SQL injection payload targets the DeviceStatisticalMonitors endpoint, injecting into the statisticalMonitorTable parameter to UPDATE ProActiveAlert with the extracted password value from GlobalSettings, using the marker string 'psyduck' to identify exfiltrated data.
  • A second-stage SQL injection payload updates the WebUser table to overwrite the admin password with the extracted encrypted value, enabling authentication bypass.
  • Detect RAT installation attempts via msiexec.exe spawned from NmPoller.exe. Observed RATs include Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote.
  • The regex pattern '"psyduck\d+(,\d+)*"' in HTTP responses from /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds indicates successful SQL injection exfiltration of the encrypted password.
  • ·NmPoller.exe can execute PowerShell scripts without launching a separate powershell.exe child process, meaning process-tree-based detections looking for powershell.exe as a child of NmPoller.exe may miss some attack variants.
  • ·The Vision One query for nmpoller.exe will also surface benign product restart and daily logfile creation events; analysts must baseline and exclude normal events before alerting.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.