Progress Software warned customers to patch multiple critical and high-severity vulnerabilities in its WhatsUp Gold network monitoring tool as soon as possible.
However, even though it released WhatsUp Gold 24.0.1, which addressed the issues last Friday and published an advisory on Tuesday, the company has yet to provide any details regarding these flaws.
“The WhatsUp Gold team has identified six vulnerabilities that exist in versions below 24.0.1,” Progress warned customers this week.
“We are reaching out to all WhatsUp Gold customers to upgrade their environment as soon as possible to version 24.0.1, released on Friday, September 20. If you are running a version older than 24.0.1 and you do not upgrade, your environment will remain vulnerable.”
The only information available is that the six vulnerabilities were reported by Summoning Team’s Sina Kheirkhah, Trend Micro’s Andy Niu, and Tenable researchers and were assigned the following CVE IDs and CVSS base scores:
To upgrade to the latest version, download the WhatsUp Gold 24.0.1 installer from here, run it on vulnerable WhatsUp Gold servers, and follow the prompts.
BleepingComputer contacted Progress to request more details about these flaws, but a response was not immediately available.
Since August 30, attackers have been exploiting two WhatsUp Gold SQL injection vulnerabilities tracked as CVE-2024-6670 and CVE-2024-6671. Both flaws were patched on August 16 after being reported to Progress by security researcher Sina Kheirkhah through the Zero Day Initiative (ZDI) on May 22.
Kheirkhah released proof-of-concept (PoC) exploit code for the vulnerabilities two weeks after they were fixed on August 30 (cybersecurity firm Trend Micro believes the attackers have used his PoC exploit to bypass authentication and achieve remote code execution).
In early August, threat monitoring organization Shadowserver Foundation also observed attempts to exploit CVE-2024-4885, a critical remote code execution WhatsUp Gold vulnerability disclosed on June 25. Kheirkhah also discovered CVE-2024-4885 and published full details on his blog two weeks later.