Active exploitation of WhatsUp Gold vulnerabilities
Take action: If you are using Progress WhatsUp Gold, update it NOW. Your software is under active attack, and it's just a matter of time when it's going to be hacked.
Learn More
Hackers have been actively exploiting two critical vulnerabilities in WhatsUp Gold, a network monitoring solution developed by Progress Software. These vulnerabilities, tracked as CVE-2024-6670 and CVE-2024-6671, are SQL injection flaws that allow attackers to retrieve encrypted passwords without authentication.
Trend Micro reported that active exploitation began within five hours of the PoC release. Hackers leveraged the vulnerabilities to achieve remote code execution using the legitimate functionality of WhatsUp Gold’s Active Monitor PowerShell Script.
Attackers used NmPoller.exe to run multiple PowerShell scripts retrieved from remote URLs. These scripts employed the Windows utility ‘msiexec.exe’ to install remote access tools (RATs) such as Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote.
The attacks have not been attributed to any specific threat groups, but the use of multiple RATs suggests the involvement of ransomware actors.
Organizations using WhatsUp Gold are strongly encouraged to update their software to the latest version and apply the patches provided by Progress Software to mitigate the risks of these vulnerabilities being exploited.
