The Progress WhatsUp Gold team has fixed multiple vulnerabilities affecting all versions of the software released before 2024.0.0 that possess risks to organizations using outdated versions of the network monitoring tool.
The identified vulnerabilities leverage SQL Injection techniques, which could allow attackers to gain unauthorized access to sensitive data and escalate privileges within the network.
Advertisements
Summary of the fixed vulnerabilities
- CVE-2024-6670 with a CVSS score of 9.8, is a vulnerability allows an unauthenticated attacker to retrieve encrypted passwords from the system if the application is configured with only a single user. The potential for unauthorized access is high, making it a critical threat to any organization relying on this configuration.
- CVE-2024-6671 with a CVSS score of 9.8, is a vulnerability also targets single-user configurations, enabling attackers to retrieve encrypted passwords through SQL Injection.
- CVE-2024-6672 with a CVSS score of 8.8, is a vulnerability allows a low-privileged authenticated attacker to escalate their privileges by modifying the password of a privileged user. Exploiting this flaw could enable attackers to gain unauthorized control over the system, leading to potentially catastrophic consequences.
Progress WhatsUp Gold users are strongly encouraged to upgrade to the latest version—2024.0.0 or newer to mitigate these risks.
While no reports of active exploitation have surfaced, the potential impact on operations is severe, prompting an urgent call for all users to upgrade their systems immediately.
