PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785)

Researchers have published a proof-of-concept (PoC) exploit for CVE-2024-8785, a critical remote code execution vulnerability affecting Progress WhatsUp Gold, a popular network monitoring solution for enterprises.

CVE-2024-8785 and the PoC exploit

CVE-2024-8785 stems from the incorrect use of a privileged application programming interface (API) that may allow attackers to overwrite the Windows Registry.

The API endpoint in question – NmAPI.exe – can be exploited by unauthenticated, remote attackers to change an existing registry value or create a new one under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch.

“Specifically, the attacker can change HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\Network Monitor\WhatsUp Gold\Setup\InstallDir to a UNC path pointing to a host controlled by the attacker (i.e., \\\share\WhatsUp),” Tenable researchers explained.

“When the Ipswitch Service Control Manager service (ServiceControlManager.exe) restarts (i.e., due to system restart after a Windows update), various manifest files (i.e., WhatsUpPlatform-PluginManifest.xml) are read from the attacker-controlled host. These files specify processes to be started by ServiceControlManager.exe. The attacker can add a element in WhatsUpPlatform-PluginManifest.xml to start an attacker-controlled executable.”

What to do?

CVE-2024-8785 affects WhatsUp Gold versions prior to version 24.0.1.

The vulnerability was discovered and reported by Tenable to Progress Software in early September 2024. The company released fixes for it (as well as other internally-discovered vulnerabilities) on September 20 and urged users to upgrade their environment to a fixed version (v24.0.1) as soon as possible.

In the past few months, attackers have repeatedly capitalized on publicly released PoC exploits for other WhatsUp Gold flaws, so upgrading is more important than ever.