The Progress WhatsUp Gold team recently confirmed the presence of critical vulnerabilities in all previous versions of their software released before 2024.0.0. These vulnerabilities, if exploited, could enable attackers to inject SQL commands, significantly jeopardizing the security of users. Despite no reported incidents of exploitation in the wild, the company is strongly advising all customers to promptly update to the latest version.

One of the most severe vulnerabilities identified is CVE-2024-6670 (WUG-16138), which carries a CVSS score of 9.8. This SQL Injection vulnerability specifically targets WhatsUp Gold versions released prior to 2024.0.0. The exploitation of this vulnerability can occur when the application is configured with only one user. An unauthenticated attacker could potentially retrieve the user’s encrypted password, ultimately leading to unauthorized access. The discovery of this vulnerability was credited to Sina Kheirkhah of the Summoning Team, collaborating with the Trend Micro Zero Day Initiative.

Similarly, CVE-2024-6671 (WUG-16139) pertains to another SQL Injection vulnerability present in pre-2024.0.0 versions of WhatsUp Gold. This flaw allows an unauthenticated attacker to access the encrypted password of a single user within the configured application. Once again, the discovery of this vulnerability was attributed to Sina Kheirkhah and the Summoning Team, underscoring the continuous effort to identify and address potential security risks.

Another vulnerability of concern is CVE-2024-6672 (WUG-16142), which involves the exploitation of an SQL Injection vulnerability by an authenticated low-privileged attacker to escalate privileges by modifying a privileged user’s password. Although slightly less critical than the previous vulnerabilities, CVE-2024-6672 still poses a significant threat to system security and integrity. The identification of this vulnerability was also credited to Sina Kheirkhah and the Summoning Team, highlighting the crucial role of external security research in maintaining software security.

In response to these critical vulnerabilities, Progress is urgently advising all WhatsUp Gold customers using versions older than 2024.0.0 to upgrade their systems promptly. The upgrade process is straightforward and typically takes 30 minutes or less, provided free of charge to customers with an active service agreement. Progress is offering support through its Customer Support and Professional Services teams, with technical assistance available to customers with an active service agreement or subscription.

For customers without an active agreement, contacting Progress Sales to reinstate their license is recommended. Ensuring the security of WhatsUp Gold users is a top priority for Progress, prompting swift action to address these vulnerabilities and proactively notify customers to mitigate potential risks. Upgrading to the latest version is crucial for users to safeguard their systems against the identified threats and maintain robust cybersecurity defenses.

Source link