overview

Security researchers at the Summoning Team have discovered a critical flaw impacting Progress Software’s WhatsUp Gold. The vulnerability, tracked as CVE-2024-4885, is an unauthenticated remote code execution bug that impacts versions of WhatsUp Gold older than version 2023.1.3. In their official advisory, exploitation of this bug would “allow an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.” 

The security researcher responsible for discovery, Sina Kheirkhah of the Summoning Team, stated that the flaw exists in how the “GetFileWithoutZip” method was implemented. 

Shadowserver Foundation has observed at least 6 attempts to exploit this vulnerability since August 1, and has pointed out that a proof-of-concept for exploiting this is available online 

 

 

avertium's recommendationS

Update Immediately: Progress recommends updating to the latest version of WhatsUp Gold, version 23.1.3, as soon as possible. This update addresses several remote code execution vulnerabilities in addition to CVE-2024-4885. 

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

At this time, there are no known IoCs associated with the above vulnerabilities. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

 

TTPs TO MONITOR

1. Initial Access (TA0001) 

  • Exploitation of Public-Facing Application (T1190): The primary tactic used during an unauthenticated RCE attack as the attacker exploits a vulnerability in a web application, service, or software that is openly accessible to the internet. 

2. Execution (TA0002) 

  • Command and Scripting Interpreter (T1059): After exploiting the vulnerability, an attacker might execute arbitrary code on the target system, potentially using command-line interfaces or scripts. 
  • Application Layer Protocol (T1071): If the exploit allows the attacker to execute commands through application protocols (like HTTP/S), this technique might be employed to interact with and issue commands. 

3. Persistence (TA0003) 

  • Create or Modify System Process (T1543): An attacker may attempt to establish persistence on the compromised system by creating new services or modifying existing ones to maintain access. 

4. Privilege Escalation (TA0004) 

  • Exploitation for Privilege Escalation (T1068): If the attacker gains access at a low privilege level, they may exploit other vulnerabilities to escalate their privileges to gain more control over the system. 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now 

WhatsUp Gold Security Bulletin– June 2024 

WhatsUp Gold Pre-Auth RCE GetFileWithoutZip 

Proof-of-concept 

 
Chat With One of Our Experts



remote code execution Remote Code Execution (RCE) vulnerabilities Flash Notice Critical Vulnerability progress software Blog