CVE-2024-6670

What is Progress WhatsUp Gold?

Progress WhatsUp Gold is a network monitoring and management platform used by IT teams to monitor device availability, performance, and health across on-premises and cloud infrastructure. It is deployed with broad network access — it must reach and query routers, switches, servers, and other devices — and typically runs on a Windows server with a local SQL Server database. Because WhatsUp Gold holds SNMP community strings, SSH credentials, and WMI passwords for monitored devices, a full compromise of WhatsUp Gold grants an attacker authenticated access to a large portion of the monitored network infrastructure.

Overview

CVE-2024-6670 is an unauthenticated SQL injection vulnerability in Progress WhatsUp Gold that allows a remote attacker to retrieve the admin user's encrypted password from the application database. WhatsUp Gold uses a static encryption key for password storage, meaning the encrypted password can be decrypted offline to recover the plaintext administrator password. With the admin password, attackers gain full application access, which in observed campaigns was leveraged to execute remote access tooling (RATs) and ransomware via WhatsUp Gold's built-in script execution and Active Monitor PowerShell features. CISA added it to the KEV catalog on September 16, 2024, and ransomware use has been confirmed.

Affected Versions

All versions prior to 24.0.0 are affected. This vulnerability was disclosed alongside CVE-2024-6671 (also SQL injection) and both were patched in the same release.

Technical Details

CWE-89 (SQL Injection). The vulnerability exists in the NmConsole/Recovery/RecoverySetup.aspx page (and related password recovery endpoints), which accept user-supplied input that is incorporated into SQL queries without adequate sanitization. An unauthenticated attacker can inject SQL commands to retrieve the admin user's password value from the database.

WhatsUp Gold stores passwords using a static, application-wide encryption key. This means the encrypted password value returned by the SQL injection can be decrypted using the known key, recovering the plaintext administrator password without any brute-force effort. The attack chain then proceeds:

1. CVE-2024-6670 — SQL injection retrieves encrypted admin password.
2. Offline decryption using the static key yields the plaintext password.
3. Attacker authenticates to WhatsUp Gold as administrator.
4. WhatsUp Gold's script execution features (Active Monitors, Remote Executors) are used to run attacker-controlled payloads (RATs, ransomware loaders) on the WhatsUp Gold server and monitored devices.

Discovery

Discovered by Sina Kheirkhah of the Summoning Team and reported through Trend Micro's Zero Day Initiative (ZDI). ZDI published technical analysis in September 2024, at which point active exploitation began rapidly.

Exploitation Context

Active exploitation was observed shortly after ZDI's September 12, 2024 technical publication, with ransomware operators among the threat actors targeting vulnerable WhatsUp Gold instances. CISA's ransomware flag confirms deployment of ransomware via this attack path. Attackers specifically abused WhatsUp Gold's legitimate PowerShell Active Monitor functionality to execute malicious payloads — a living-off-the-land technique that leverages the monitoring platform's built-in capabilities rather than deploying external tools. Because WhatsUp Gold runs as a privileged Windows service with broad network access, ransomware deployed through it had wide lateral movement potential within monitored environments.

Remediation

1. Upgrade to Progress WhatsUp Gold 24.0.0 or later, which patches both CVE-2024-6670 and CVE-2024-6671.
2. Restrict access to the WhatsUp Gold web interface to trusted internal IP addresses; it should not be internet-accessible.
3. After patching, rotate the WhatsUp Gold administrator password and all monitoring credentials (SNMP, SSH, WMI) stored in the application database.
4. Review WhatsUp Gold audit logs and Active Monitor execution logs for unauthorized script execution or unusual PowerShell activity.
5. If the application was internet-accessible or exploitation cannot be ruled out, conduct a host-level compromise assessment on the WhatsUp Gold server and monitored devices for RAT implants or ransomware staging activity.