A proof-of-concept (PoC) exploit for a critical-severity distant code execution flaw in Progress WhatsUp Gold has been revealed, making it important to put in the newest safety updates as quickly as doable.
The flaw is tracked as CVE-2024-8785 (CVSS v3.1 rating: 9.8) and was found by Tenable in mid-August 2024. It exists within the NmAPI.exe course of in WhatsUp Gold variations from 2023.1.0 and earlier than 24.0.1.
Manipulating the Home windows Registry
When launched, NmAPI.exe supplies a community administration API interface for WhatsUp Gold, listening for and processing incoming requests.
Because of inadequate validation of incoming information, attackers might ship specifically crafted requests to change or overwrite delicate Home windows registry keys that management the place WhatsUp Gold configuration recordsdata are learn from.
“An unauthenticated distant attacker can invoke the UpdateFailoverRegistryValues operation by way of a netTcpBinding at web.tcp://
“By means of the UpdateFailoverRegistryValues operation, the attacker can change an current registry worth or create a brand new one for any registry path below HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeIpswitch.”
“Particularly, the attacker can change HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeIpswitchNetwork MonitorWhatsUp GoldSetupInstallDir to a UNC path pointing to a bunch managed by the attacker (i.e.,
The following time the Ipswitch Service Management Supervisor service restarts, it can learn numerous configuration recordsdata from the attacker-controlled distant share, which can be utilized to start out any distant executable the attacker needs on the susceptible WhatsUp Gold system.
Other than the apparent dangers that come up from such a state of affairs, the flexibility to change the system registry additionally offers the assault glorious persistence capabilities, like making modifications to startup keys so malicious code is executed upon system boot.
Exploitation of CVE-2024-8785 doesn’t require authentication, and because the NmAPI.exe service is accessible over the community, the danger is important.
Replace WhatsUp Gold now
System directors managing WhatsUp Gold deployments ought to improve to model 24.0.1 as quickly as doable.
Progress Software program launched safety updates addressing CVE-2024-8785 and 5 extra flaws on September 24, 2024, and revealed the associated bulletin right here, containing set up directions.
WhatsUp Gold has been focused by hackers once more not too long ago, with the menace actors leveraging publicly obtainable exploits to assault susceptible endpoints.
In early August, menace actors used public PoCs for a important WhatsUp Gold RCE flaw to acquire preliminary entry to company networks.
In September, hackers used public exploits for 2 important SQL injection vulnerabilities in WhatsUp Gold, which enabled them to take over administrator accounts with out understanding the password.
Given the latest historical past of menace actors exploiting important vulnerabilities in Progress Software program’s standard community monitoring answer, it is crucial to promptly apply the obtainable safety updates.