Progress software patches three critical SQL injection flaws in WhatsUp Gold
Take action: If you are using Progress WhatsUp Gold, update it ASAP. As an interim measure, lock down the service from the internet so the SQLi attacks can't reach the system. But then better patch, because someone will eventually find a way in your network.
Learn More
The Progress WhatsUp Gold team has confirmed three critical SQL Injection vulnerabilities affecting all versions released before 2024.0.0.
Progress WhatsUp Gold is an IT infrastructure monitoring software designed to provide real-time visibility into network performance, server health, and application availability
The identified vulnerabilities are:
-
CVE-2024-6670 (CVSS score 9.8) - This SQL Injection vulnerability allows unauthenticated attackers to retrieve the encrypted password of the single configured user.
-
CVE-2024-6671 (CVSS score 9.8) - Similar to CVE-2024-6670, this flaw also allows the retrieval of the encrypted user password via SQL Injection in systems with a single-user configuration.
-
CVE-2024-6672 (CVSS score 8.8) - This vulnerability allows an authenticated low-privileged attacker to escalate privileges by modifying a privileged user’s password through a SQL Injection attack. This vulnerability can be chained with the previous two to escalate privileges.
Affected versions are all versions before 2024.0.0.
Although there have been no reports of these vulnerabilities being exploited in the wild, Progress is urging all WhatsUp Gold customers to upgrade their systems to version 2024.0.0 as soon as possible. Upgrades are free for customers with an active service agreement, and the process typically takes less than 30 minutes. Direct upgrades are supported from WhatsUp Gold 20.0.2 and newer.
