Privilege Escalation Vulnerability Affects WhatsUp Gold Users
CVE-2024-46905

8.8HIGH

Key Information:

Vendor: Progress Software
Status: Whatsup Gold
Vendor: CVE Published:; 2 December 2024

What is CVE-2024-46905?

CVE-2024-46905 is a privilege escalation vulnerability affecting WhatsUp Gold, a network management platform developed by Progress Software Corporation. This vulnerability exists in versions released before 2024.0.1 and allows a lower-privileged authenticated user—specifically one with at least Network Manager permissions—to escalate their privileges to that of an admin account. This could severely compromise the security of an organization, as it grants unauthorized users the ability to access sensitive configurations and systems, potentially disrupting network operations.

Technical Details

The core of CVE-2024-46905 lies in a SQL Injection vulnerability within the WhatsUp Gold application. SQL Injection vulnerabilities permit attackers to manipulate a web application's database queries by injecting arbitrary SQL code through input fields. In this case, an authenticated user can exploit this vulnerability to escalate their privileges, gaining access to all administrative functions and controls, which should be restricted. Proper input validation and sanitation measures are critical to mitigate such vulnerabilities, but the existence of this flaw indicates a failure to adequately secure user inputs within the application.

Potential Impact of CVE-2024-46905

Unauthorized System Control: The ability for lower-privileged users to gain admin access can lead to unauthorized changes in system configurations, potentially allowing malicious activities or misconfigurations that impact network performance and security posture.
Data Breach Risks: With escalated privileges, attackers could access sensitive information stored in the application, leading to potential data leaks and breaches that could have regulatory implications for the organization.
Increased Attack Surface: The vulnerability not only serves as a point of access for specific users but also increases the overall attack surface of the network management system, making it a potential target for further exploitation by malicious actors.

Affected Version(s)

WhatsUp Gold Windows 2023.1.0

References

https://www.progress.com/network-monitoring

https://community.progress.com/s/article/WhatsUp-Gold-Sec...

vendor-advisory

https://docs.progress.com/bundle/whatsupgold-release-note...

release-notes

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 2, 2024
Vulnerability Reserved
Sep 13, 2024

Collectors

NVD DatabaseMitre Database

Credit

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative