In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.
The vulnerability results from improper configuration and path traversal errors, which allow bypassing authentication mechanisms (auth bypass). An attacker can send a specially crafted request over the network to the vulnerable system without possessing any credentials and without user interaction. As a result, code execution is possible in the context of the application service account.
An attacker gains the ability to execute code remotely (RCE) with the privileges of the WhatsUp Gold service account, which in practice can mean complete system takeover, data breach, and further lateral movement in the network.
Progress WhatsUp Gold must be immediately updated to version 2024.0.1 or later. Detailed patch information is available in the vendor's security bulletin (Progress WhatsUp Gold Security Bulletin, September 2024) and in the official release notes for version 2024.0.
Progress WhatsUp Gold in all versions released before 2024.0.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HProgress Whatsup Gold
APPProgress< 24.0.1
Related vulnerabilities
SQL Injection w Progress WhatsUp Gold — kradzież zaszyfrowanych haseł
Progress WhatsUp Gold – nieuwierzytelniony RCE przez path traversal
Progress WhatsUp Gold — nieautoryzowana konfiguracja ustawień LDAP
Progress WhatsUp Gold — nieautoryzowany dostęp do serwera przez publiczne API
Progress WhatsUp Gold – nieautoryzowana modyfikacja rejestru Windows przez NmAPI.exe