In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
An attacker without any authentication can send a specially crafted request containing malicious SQL code to the WhatsUp Gold application. The vulnerability results from insufficient validation and sanitization of input data before its use in database queries (CWE-89). As a result, the application executes unintended SQL queries, returning encrypted user account passwords stored in the database to the attacker.
An attacker can download encrypted passwords of all system users, which may subsequently lead to their compromise and account takeover, resulting in complete control over the network monitoring system.
Progress WhatsUp Gold must be immediately updated to version 2024.0.0 or later. Detailed information is available in the vendor's security bulletin published in August 2024 at: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
Progress WhatsUp Gold in all versions released before 2024.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HProgress Whatsup Gold
APPProgress< 24.0
CISA KEV — detailsi
- Vendori
- Progress ↗
- Producti
- WhatsUp Gold
- Added to KEVi
- September 16, 2024
- Remediation deadline (US Federal)i
- October 7, 2024(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user.
Related vulnerabilities
Progress WhatsUp Gold – nieuwierzytelniony RCE przez path traversal
Progress WhatsUp Gold — nieautoryzowana konfiguracja ustawień LDAP
Progress WhatsUp Gold — nieautoryzowany dostęp do serwera przez publiczne API
Zdalne wykonanie kodu w Progress WhatsUp Gold (RCE bez uwierzytelnienia)
Progress WhatsUp Gold – nieautoryzowana modyfikacja rejestru Windows przez NmAPI.exe