CVE-2024-6670
Published: 29 August 2024
Summary
CVE-2024-6670 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Whatsup Gold. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-6670 is a SQL injection vulnerability, tracked under CWE-89, that affects WhatsUp Gold versions released before 2024.0.0. The flaw resides in the network monitoring application and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated remote attacker can exploit the injection to retrieve encrypted user passwords, resulting in high impact to confidentiality, integrity, and availability. Because the vulnerability can be reached directly over the network, an adversary needs only the ability to send crafted requests to a vulnerable instance.
The vendor Progress has published a security bulletin directing customers to upgrade to WhatsUp Gold 2024.0.0 or later, and the CVE appears in CISA’s Known Exploited Vulnerabilities catalog, confirming that mitigation through patching is required for affected deployments.
The associated EPSS score has reached a peak of 0.9679 with a current value of 0.9447, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48017
Vulnerability details
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
- CWE(s)
- KEV Date Added
- 16 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the WhatsUp Gold application, blocking the crafted SQL statements that enable unauthenticated password retrieval.
Mandates prompt application of the vendor patch that eliminates the SQL injection flaw in versions prior to 2024.0.0.
Enforces that only authenticated and authorized subjects may access user credential data, preventing the bypass achieved by the unauthenticated SQL injection.