Cyber Resilience

CVE-2024-6670

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 29 August 2024

Published
29 August 2024
Modified
31 October 2025
KEV Added
16 September 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9447 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6670 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Whatsup Gold. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-6670 is a SQL injection vulnerability, tracked under CWE-89, that affects WhatsUp Gold versions released before 2024.0.0. The flaw resides in the network monitoring application and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can exploit the injection to retrieve encrypted user passwords, resulting in high impact to confidentiality, integrity, and availability. Because the vulnerability can be reached directly over the network, an adversary needs only the ability to send crafted requests to a vulnerable instance.

The vendor Progress has published a security bulletin directing customers to upgrade to WhatsUp Gold 2024.0.0 or later, and the CVE appears in CISA’s Known Exploited Vulnerabilities catalog, confirming that mitigation through patching is required for affected deployments.

The associated EPSS score has reached a peak of 0.9679 with a current value of 0.9447, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

CWE(s)
KEV Date Added
16 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
whatsup gold
≤ 24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the WhatsUp Gold application, blocking the crafted SQL statements that enable unauthenticated password retrieval.

prevent

Mandates prompt application of the vendor patch that eliminates the SQL injection flaw in versions prior to 2024.0.0.

prevent

Enforces that only authenticated and authorized subjects may access user credential data, preventing the bypass achieved by the unauthenticated SQL injection.

References