Critical RCE Vulnerability in WhatsUp Gold: PoC Exploit Now Available
Tenable experts have released a proof-of-concept (PoC) exploit for a critical vulnerability in Progress WhatsUp Gold, enabling remote code execution (RCE) on affected devices.
The RCE vulnerability, CVE-2024-8785 (CVSS score: 9.8), stems from insufficient data validation, allowing attackers to send specially crafted requests that modify or overwrite Windows registry keys responsible for configuration file paths.
Discovered by Tenable in mid-August 2024, the flaw affects the NmAPI.exe process in WhatsUp Gold versions from 2023.1.0 to versions prior to 24.0.1. NmAPI.exe provides an API for network management, processing incoming requests. Exploitation of this vulnerability requires no authorization, and the network availability of the NmAPI.exe service significantly increases the associated risks.
The exploit enables the modification of existing registry values or the creation of new entries within the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch path. For instance, the InstallDir key can be redirected to a network resource controlled by the attacker, allowing malicious files to be downloaded and executed.
Upon restarting the Ipswitch Service Control Manager, configuration files are read from the attacker-controlled resource, providing an opportunity to execute arbitrary code on the vulnerable system. Additionally, altering registry entries gives attackers a means to maintain persistence, such as through the addition of malicious code to the system’s startup processes.
System administrators using WhatsUp Gold are urged to promptly update to version 24.0.1. Security updates addressing this and five other vulnerabilities were released by Progress Software on September 24, accompanied by installation guidance in the advisory.
This is not the first time WhatsUp Gold has been targeted. In August 2024, hackers actively exploited two critical vulnerabilities to gain control over administrator accounts. Earlier incidents revealed a flaw enabling attackers to execute arbitrary code on servers without requiring authentication.
