CVE-2024-4885

What is Progress WhatsUp Gold?

Progress WhatsUp Gold is a network monitoring and IT infrastructure management platform used by organizations to monitor device availability, network performance, and system health. It runs as a privileged Windows service with broad network access and stores monitoring credentials — SNMP community strings, SSH keys, WMI credentials — for all monitored devices. As a result, compromise of WhatsUp Gold extends beyond the monitoring server itself and can provide authenticated access to a wide range of monitored infrastructure.

Overview

CVE-2024-4885 is a path traversal vulnerability in Progress WhatsUp Gold's web interface that allows an unauthenticated remote attacker to read files outside the intended web root — and, under the conditions present in the affected versions, to achieve remote code execution. Patched in WhatsUp Gold 23.1.3 (June 2024), it received a delayed CISA KEV addition in March 2025, indicating continued exploitation against unpatched instances many months after the fix was available. It is part of a cluster of WhatsUp Gold critical vulnerabilities disclosed in 2024, including CVE-2024-6670 and CVE-2024-6671 (SQL injection, August 2024).

Affected Versions

Technical Details

CWE-22 (Path Traversal). The GetFileWithoutZip HTTP endpoint in WhatsUp Gold's web service accepts a file path parameter without adequate sanitization. By supplying path traversal sequences (../), an unauthenticated attacker can escape the intended file serving directory and read arbitrary files accessible to the WhatsUp Gold service account — which, running as a privileged Windows service, can read broadly across the system.

Beyond file read, the specific implementation in the affected versions allows the path traversal to be used to read and serve files that can be leveraged for code execution — for example, reading or serving content from locations used by the application's script execution pipeline. This elevates the vulnerability from an information disclosure to a full remote code execution in practical exploitation scenarios.

Discovery

Reported to Progress Software and patched in WhatsUp Gold 23.1.3 in June 2024. The eight-month gap between the patch and the CISA KEV addition (March 2025) reflects confirmed exploitation of organizations that had not applied the June 2024 patch — a recurring pattern in network monitoring software vulnerabilities where patch discipline lags.

Exploitation Context

The delayed CISA KEV addition on March 3, 2025 confirms that active exploitation continued long after the June 2024 patch release, targeting organizations running unpatched WhatsUp Gold instances. WhatsUp Gold is often deployed as an internal-only service, but instances accessible from broader network segments (or through VPN) remained vulnerable. The monitoring software's privileged access to infrastructure credentials made it a high-value secondary target after initial access via other means.

Remediation

1. Upgrade to WhatsUp Gold 23.1.3 or later (or 24.0.0+ for the 24.x branch).
2. Restrict WhatsUp Gold web interface access to trusted internal management IP ranges.
3. After patching, rotate monitoring credentials (SNMP, SSH, WMI) stored in WhatsUp Gold if the service was accessible from untrusted network segments.
4. Review WhatsUp Gold access logs for unusual file path requests indicating traversal exploitation.
5. Address the related August 2024 SQL injection vulnerabilities (CVE-2024-6670, CVE-2024-6671) if not already patched — upgrade to WhatsUp Gold 24.0.0 to cover the full 2024 vulnerability cluster.