Security researchers have published a proof-of-concept (PoC) exploit for CVE-2024-8785 with a CVSS score of 9.8, a critical remote code execution vulnerability affecting Progress WhatsUp Gold,
A critical registry overwrites remote code execution (RCE) vulnerability has been identified in NmAPI.exe, which is part of the WhatsUp Gold network monitoring software. This vulnerability is present in versions before 24.0.1. It allows an unauthenticated remote attacker to execute arbitrary code on affected systems. This could potentially lead to the compromise of the entire network being monitored by the software. The vulnerability poses significant security risks as attackers could take full control of the affected system, deploy malware, or exfiltrate sensitive data.
The vulnerability within NmAPI.exe, a Windows Communication Foundation (WCF) application used by WhatsUp Gold, is particularly concerning. The flaw is specifically located in the UpdateFailoverRegistryValues operation. This function interacts with the Windows registry, allowing an attacker to write or alter registry entries without requiring authentication.
The vulnerability can be exploited through a netTcpBinding at the endpoint net.tcp://<target-host>:9643. By leveraging this method, attackers can modify registry values under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\. One critical aspect of this vulnerability is the ability to change the InstallDir registry entry to point to a Universal Naming Convention (UNC) path controlled by an attacker, such as \\<attacker-ip>\share\WhatsUp. This allows attackers to execute arbitrary code on the affected system, significantly compromising its security.
Once the attacker redirects the InstallDir registry entry to an attacker-controlled network share, further exploitation becomes possible. When the Ipswitch Service Control Manager (ServiceControlManager.exe) service restarts—perhaps due to a system restart or Windows update—it tries to read various manifest files from the specified UNC path.
This action allows the attacker to define new processes to be executed by including a <ServerProcess> element in the WhatsUpPlatform-PluginManifest.xml file. This effectively lets the attacker control what processes are run, potentially leading to significant system compromise and unauthorized access.
The Tenable report highlights the release of a PoC exploit, urging organizations using affected versions of WhatsUp Gold to upgrade to version 24.0.1 or later. Failure to patch this vulnerability can lead to unauthorized access and control over systems. Cybersecurity experts recommend implementing network-level mitigations, including restricting access to TCP port 9643 to trusted hosts and monitoring for suspicious registry modifications.
