Privilege Escalation Vulnerability in WhatsUp Gold Allows Low-Privileged Users to Access Admin Account
CVE-2024-46906

8.8HIGH

Key Information:

Vendor: Progress Software
Status: Whatsup Gold
Vendor: CVE Published:; 2 December 2024

What is CVE-2024-46906?

CVE-2024-46906 is a privilege escalation vulnerability affecting WhatsUp Gold, a network monitoring software developed by Progress Software Corporation. This software serves to monitor network devices, performance, and uptime, providing insights for IT infrastructures. The vulnerability enables authenticated low-privileged users, specifically those with Report Viewer permissions, to exploit a SQL Injection flaw and gain access to administrative functions and controls. Such an escalation can severely undermine the security of an organization's IT environment, potentially leading to unauthorized access to sensitive data and operational controls.

Technical Details

CVE-2024-46906 is rooted in a SQL Injection vulnerability present in WhatsUp Gold versions prior to 2024.0.1. The vulnerability allows users with limited access rights to execute malicious SQL queries, compromising the database and ultimately escalating their privilege to that of an administrator. This kind of flaw indicates a significant oversight in the application's input validation and access controls, making it essential for organizations utilizing WhatsUp Gold to address this issue.

Potential impact of CVE-2024-46906

Unauthorized Access to Sensitive Information: The ability for low-privileged users to elevate their privileges can lead to unauthorized access to sensitive network configurations and performance data, putting critical information at risk.
Manipulation of System Configurations: An attacker gaining administrative access could alter system settings or configurations, potentially leading to service disruptions and network instability, impacting business operations.
Increased Risk of Further Exploitation: By leveraging administrative privileges, an attacker may deploy additional malicious tools or exploits within the network, increasing the vulnerability of the organization's infrastructure to secondary attacks.

Affected Version(s)

WhatsUp Gold Windows 2023.1.0

References

https://www.progress.com/network-monitoring

https://community.progress.com/s/article/WhatsUp-Gold-Sec...

vendor-advisory

https://docs.progress.com/bundle/whatsupgold-release-note...

release-notes

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 2, 2024
Vulnerability Reserved
Sep 13, 2024

Collectors

NVD DatabaseMitre Database

Credit

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative