Cyber Resilience

CVE-2024-4885

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 25 June 2024

Published
25 June 2024
Modified
31 October 2025
KEV Added
03 March 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9427 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4885 is a critical-severity Path Traversal (CWE-22) vulnerability in Progress Whatsup Gold. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-4885 is an unauthenticated remote code execution vulnerability affecting Progress WhatsUp Gold versions prior to 2023.1.3. The flaw resides in the WhatsUp.ExportUtilities.Export.GetFileWithoutZip component, which permits command execution under the iisapppool\nmconsole account and is tracked under CWE-22 with a CVSS 3.1 score of 9.8.

An attacker with network access can invoke the vulnerable export utility without authentication to run arbitrary commands on the server, achieving full control over confidentiality, integrity, and availability of the affected system.

The vendor Progress has published a security bulletin directing customers to upgrade to version 2023.1.3 or later, and the issue appears in CISA's Known Exploited Vulnerabilities catalog.

The associated EPSS score has remained at a sustained high of 0.9427 since disclosure, indicating persistent and substantial exploitation interest.

EU & UK References

Vulnerability details

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.  The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.

CWE(s)
KEV Date Added
03 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
whatsup gold
≤ 23.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unauthenticated requests that trigger GetFileWithoutZip command execution.

prevent

Enforces input validation to stop the path-traversal payloads that enable the RCE.

prevent

Limits privileges of the iisapppool\nmconsole account so any successful execution has reduced impact.

References