Friday, January 24, 2025
HomeCVE/vulnerabilityProgress WhatsUp Gold Vulnerabilities Let Attackers Inject SQL Commands

Progress WhatsUp Gold Vulnerabilities Let Attackers Inject SQL Commands

Published on

SIEM as a Service

Follow Us on Google News

The Progress WhatsUp Gold team confirmed the existence of critical vulnerabilities in all versions of their software released before 2024.0.0.

If exploited, these vulnerabilities could allow attackers to inject SQL commands, posing significant security risks to users.

Although there have been no reports of these vulnerabilities being exploited in the wild, the company is urging all customers to upgrade to the latest version immediately.

CVE-2024-6670 (WUG-16138) – CVSS Score: 9.8

One of the most severe vulnerabilities, CVE-2024-6670, affects WhatsUp Gold versions released before 2024.0.0.

This SQL Injection vulnerability can be exploited if the application is configured with only one user.

An unauthenticated attacker could retrieve the user’s encrypted password, leading to unauthorized access.

The vulnerability was discovered by Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam), which collaborates with the Trend Micro Zero Day Initiative. The high CVSS score of 9.8 reflects its critical nature.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

CVE-2024-6671 (WUG-16139) – CVSS Score: 9.8

Similar to CVE-2024-6670, CVE-2024-6671 also involves a SQL Injection vulnerability in WhatsUp Gold versions before 2024.0.0.

This flaw allows an unauthenticated attacker to retrieve the user’s encrypted password when the application is configured with a single user.

Again, Sina Kheirkhah and the Summoning Team were credited with this vulnerability, highlighting the ongoing collaboration with security researchers to identify and mitigate potential risks.

CVE-2024-6672 (WUG-16142) – CVSS Score: 8.8

CVE-2024-6672 presents a slightly different threat. In this case, an authenticated low-privileged attacker could exploit a SQL Injection vulnerability to achieve privilege escalation by modifying a privileged user’s password.

While slightly less critical than the previous two, this vulnerability still poses a significant risk to system integrity and security.

The discovery of this vulnerability also comes from the efforts of Sina Kheirkhah and the Summoning Team, emphasizing the importance of external security research in maintaining software security.

Urgent Call to Action

Progress strongly encourages all WhatsUp Gold customers running versions older than 2024.0.0 to upgrade their systems immediately.

The upgrade process is straightforward, typically taking 30 minutes or less, and is available free of charge to customers with an active service agreement.

Progress offers support through its Customer Support and Professional Services teams. Customers with an active service agreement or subscription can contact Progress Technical Support.

Those without an active agreement are advised to contact Progress Sales to reinstate their license.

Progress is paramountly concerned about the security of WhatsUp Gold users. The company has taken swift action to address these vulnerabilities and proactively notifies customers to mitigate potential risks.

By upgrading to the latest version, users can ensure their systems remain secure against these identified threats.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...