December 5 Advisory: RCE Vulnerability in Progress WhatsUp Gold [CVE-2024-8785]

Date of Disclosure: September 24, 2024

CVE-2024-8785 is a flaw in Progress WhatsUp Gold versions released before 24.0.1 that allows a remote unauthenticated attacker to leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

The initial disclosure of CVE-2024-8785 occurred when Progress Software released a security bulletin on September 24, 2024, predating the CVE assignment by a few months. There is an exploit for this vulnerability, as acknowledged by Progress Software after it was reported by Tenable. However, we currently do not have access to the exploit itself. Tenable has published a detailed writeup that explains how the vulnerability might be exploited.

Censys Perspective

At the time of writing, Censys observed 1,219 exposed WhatsUp Gold instances online. A large proportion of these (51%) are geolocated in Brazil. Censys observed about 18% of the exposed instances to be associated with Kesley Matias Da Silva (ASN 269393), a telecommunications provider. Note that not all of these are necessarily vulnerable, as specific versions are not always available. 

Map of Exposed WhatsUp Gold instances:

Censys Search Query:

services.software: (vendor="Progress" and product="WhatsUp Gold")

Censys ASM Query:

host.services.software.vendor="Progress" and host.services.software.product="WhatsUp Gold"

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-8785
• https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024
• https://www.tenable.com/security/research/tra-2024-48