Threat actors are actively attempting to exploit a recently fixed Progress WhatsUp Gold remote code execution vulnerability on exposed servers for initial access to corporate networks.
The vulnerability leveraged in these attacks is CVE-2024-4885, a critical-severity (CVSS v3 score: 9.8) unauthenticated remote code execution flaw impacting Progress WhatsUp Gold 23.1.2 and older.
Proof-of-concept (PoC) exploits for CVE-2024-4885 are publicly available that target exposed WhatsUp Gold ‘/NmAPI/RecurringReport’ endpoints.
Threat monitoring organization Shadowserver Foundation reports that the attempts started on August 1, 2024, coming from six distinct IP addresses.
The CVE-2024-4885 RCE
Progress WhatsUp Gold is a network monitoring application that allows you to track the uptime and availability of servers and services running on them. However, as with any software, it should only be accessible internally, through a VPN, or via trusted IP addresses.
On June 25, 2024, Progress released a security bulletin warning about fifteen high and critical-severity bugs, including CVE-2024-4885, a 9.8-rated critical RCE flaw. Progress urged users to upgrade to the latest version, 23.1.3, to resolve the vulnerabilities.
CVE-2024-4885 is a remote code execution flaw in the ‘WhatsUp.ExportUtilities.Export. GetFileWithoutZip’ function, allowing unauthenticated attackers to execute commands with the privileges of the ‘iisapppool\\nmconsole’ user.
This is not an admin user but still has elevated permissions within the context of WhatsUp Gold. It can execute code on the server and even access the underlying system.
The vendor’s recommendations for those unable to upgrade to 23.1.3 were to monitor exploitation attempts at the’/NmAPI/RecurringReport’ endpoint and implement firewall rules to restrict access to it only to trusted IP addresses on ports 9642 and 9643.
The flaw was discovered by security researcher Sina Kheirkhah, who published a detailed technical write-up on his blog, including a proof-of-concept exploit.
The exploit sends a ‘TestRecurringReport’ request to an exposed WhatsUp Gold reporting endpoint that contains a specially crafted configuration. This configuration includes the URL to an attacker-controlled web server and the user ID the targeted server should respond with.
When the targeted server responds to the attacker’s server, it will include the user name and encrypted password associated with the user ID.
Kheirkhah’s exploit uses this information to make and receive further requests and resposnes with the targeted server to ultimately cause a file to be written on the server, which is then launched remotely for code execution, as illustrated below.
As the final payload in the exploit is delivered from attacker-controlled servers, it is unknown at this time what payloads are being created on targeted servers. However, similar activity in the past created webshells on the targeted devices for easier access and persistence.
Given the active exploitation status, WhatsUp Gold admins should apply the latest security updates or mitigations and continue monitoring for suspicious activity.
The WhatsUp Gold server should also be placed behind a firewall and accessible only internally or by trusted IP addresses.
