Progress WhatsUp Gold Vulnerabilities Let Attackers Inject SQL Commands

The Progress WhatsUp Gold team confirmed the existence of critical vulnerabilities in all versions of their software released before 2024.0.0.

If exploited, these vulnerabilities could allow attackers to inject SQL commands, posing significant security risks to users.

Although there have been no reports of these vulnerabilities being exploited in the wild, the company is urging all customers to upgrade to the latest version immediately.

CVE-2024-6670 (WUG-16138) – CVSS Score: 9.8

One of the most severe vulnerabilities, CVE-2024-6670, affects WhatsUp Gold versions released before 2024.0.0.

This SQL Injection vulnerability can be exploited if the application is configured with only one user.

An unauthenticated attacker could retrieve the user’s encrypted password, leading to unauthorized access.

The vulnerability was discovered by Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam), which collaborates with the Trend Micro Zero Day Initiative. The high CVSS score of 9.8 reflects its critical nature.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

CVE-2024-6671 (WUG-16139) – CVSS Score: 9.8

Similar to CVE-2024-6670, CVE-2024-6671 also involves a SQL Injection vulnerability in WhatsUp Gold versions before 2024.0.0.

This flaw allows an unauthenticated attacker to retrieve the user’s encrypted password when the application is configured with a single user.

Again, Sina Kheirkhah and the Summoning Team were credited with this vulnerability, highlighting the ongoing collaboration with security researchers to identify and mitigate potential risks.

CVE-2024-6672 (WUG-16142) – CVSS Score: 8.8

CVE-2024-6672 presents a slightly different threat. In this case, an authenticated low-privileged attacker could exploit a SQL Injection vulnerability to achieve privilege escalation by modifying a privileged user’s password.

While slightly less critical than the previous two, this vulnerability still poses a significant risk to system integrity and security.

The discovery of this vulnerability also comes from the efforts of Sina Kheirkhah and the Summoning Team, emphasizing the importance of external security research in maintaining software security.

Urgent Call to Action

Progress strongly encourages all WhatsUp Gold customers running versions older than 2024.0.0 to upgrade their systems immediately.

The upgrade process is straightforward, typically taking 30 minutes or less, and is available free of charge to customers with an active service agreement.

Progress offers support through its Customer Support and Professional Services teams. Customers with an active service agreement or subscription can contact Progress Technical Support.

Those without an active agreement are advised to contact Progress Sales to reinstate their license.

Progress is paramountly concerned about the security of WhatsUp Gold users. The company has taken swift action to address these vulnerabilities and proactively notifies customers to mitigate potential risks.

By upgrading to the latest version, users can ensure their systems remain secure against these identified threats.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial