Progress Software addresses six new security vulnerabilities affecting its WhatsUp Gold, two of them are rated as critical severity.————————————————————————————————————————————Progress Software has addressed six new security vulnerabilities in its IT infrastructure monitoring product WhatsUp Gold.*’The WhatsUp Gold team has identified six vulnerabilities that exist in versions below 24.0.1. We are reaching out to all WhatsUp Gold customers to upgrade their environment as soon as possible to version 24.0.1, released on Friday, September 20.’ [reads the advisory](https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024). ‘If you are running a version older than 24.0.1 and you do not upgrade, your environment will remain vulnerable. Please take the following steps as soon as possible:*1. *Download the WhatsUp Gold 24.0.1 installer from *2. *Run the installer on your WhatsUp Gold server and follow the prompts. ‘*Two of the vulnerabilities fixed by Progress, respectively tracked as CVE-2024-8785 and CVE-2024-46909, are rated as critical severity.[**CVE-2024-8785**](https://www.cve.org/CVERecord?id=CVE-2024-8785) (CVSS score of 9.8) was reported by Trend Micro researchers Andy Niu, while [**CVE-2024-46909**](https://www.cve.org/CVERecord?id=CVE-2024-46909) (CVSS score of 9.8) was reported by Tenable.Below are the other vulnerabilities addressed by the company:* CVE-2024-46905 (CVSS score: 8.8)* CVE-2024-46906 (CVSS score: 8.8)* CVE-2024-46907 (CVSS score: 8.8)* CVE-2024-46908 (CVSS score: 8.8)The company addressed the issues with version 24.0.1 released on September 20, 2024. The company has yet to disclose technical details about the vulnerabilities, it’s unclear if the are actively exploited in attacks in the wild.In mid-September, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Progress WhatsUp Gold SQL Injection vulnerability, tracked as [CVE-2024-6670](https://www.cve.org/CVERecord?id=CVE-2024-6670), to its Known Exploited Vulnerabilities catalog. An unauthenticated attacker could trigger this vulnerability to retrieve the users’ encrypted password. The flaw impacts WhatsUp Gold versions released before 2024.0.0.WhatsUp Gold Customers are recommended to address the above vulnerabilities as soon as possible.Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, Progress Software)**
Related Tags:
CVE-2024-8785
CVE-2024-46908
CVE-2024-46906
CVE-2024-46909
CVE-2024-46905
CVE-2024-6670
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
Associated Indicators:
https://community.progress.com/s/products-list