Researchers have published a proof-of-concept (PoC) exploit for CVE-2024-8785, a critical remote code execution vulnerability affecting Progress WhatsUp Gold, a popular network monitoring solution for enterprises.
CVE-2024-8785 and the PoC exploit
CVE-2024-8785 stems from the incorrect use of a privileged application programming interface (API) that may allow attackers to overwrite the Windows Registry.
The API endpoint in question – NmAPI.exe – can be exploited by unauthenticated, remote attackers to change an existing registry value or create a new one under HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeIpswitch.
“Specifically, the attacker can change HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeIpswitchNetwork MonitorWhatsUp GoldSetupInstallDir to a UNC path pointing to a host controlled by the attacker (i.e., \
“When the Ipswitch Service Control Manager service (ServiceControlManager.exe) restarts (i.e., due to system restart after a Windows update), various manifest files (i.e., WhatsUpPlatform-PluginManifest.xml) are read from the attacker-controlled host. These files specify processes to be started by ServiceControlManager.exe. The attacker can add a
What to do?
CVE-2024-8785 affects WhatsUp Gold versions prior to version 24.0.1.
The vulnerability was discovered and reported by Tenable to Progress Software in early September 2024. The company released fixes for it (as well as other internally-discovered vulnerabilities) on September 20 and urged users to upgrade their environment to a fixed version (v24.0.1) as soon as possible.
In the past few months, attackers have repeatedly capitalized on publicly released PoC exploits for other WhatsUp Gold flaws, so upgrading is more important than ever.