CVE-2024-4885 is a vulnerability in Progress Whatsup Gold
Published on June 25, 2024
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.
Known Exploited Vulnerability
This Progress WhatsUp Gold Path Traversal Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.
The following remediation steps are recommended / required by March 24, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2024-4885 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Products Associated with CVE-2024-4885
You can be notified by stack.watch whenever vulnerabilities like CVE-2024-4885 are published in these products:
What versions of Whatsup Gold are vulnerable to CVE-2024-4885?
-
Progress Whatsup Gold
Fixed in Version 23.1.3