CVE-2024-6670
CVE-2024-6670 is a critical-severity vulnerability in Progress Whatsup Gold with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-09-16). The underlying weakness is classified as CWE-89.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 95% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-09-16)
- EU (EUVD) id: EUVD-2024-48017
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-09-16)
- Weakness: CWE-89
- Affected product: Progress Whatsup Gold
- Published:
- Last modified:
Description
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
CVE-2024-6670: Critical SQL Injection in WhatsUp Gold Enables Unauthenticated Password Retrieval
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-6670 |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection") |
| CVSS 3.1 | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.94661 (99.85th percentile) |
| KEV | Yes — added 2024-09-16 |
| Product | Progress WhatsUp Gold |
| Affected | Versions before 2024.0.0 |
| Patched | 2024.0.0 |
Summary
A critical SQL injection flaw in Progress WhatsUp Gold, versions released prior to 2024.0.0, permits an unauthenticated remote attacker to inject arbitrary SQL commands. Successful exploitation can lead to retrieval of encrypted user passwords and potentially broader database compromise, earning a CVSS 3.1 base score of 9.8 (Critical).
Background
WhatsUp Gold is a network-monitoring platform developed by Progress Software, widely deployed to monitor infrastructure health, performance, and availability. Because the application typically runs with elevated database privileges and stores sensitive credentials, it represents a high-value target for attackers seeking lateral access across monitored environments.
Root Cause
The vulnerability is classified as CWE-89: SQL Injection. An unauthenticated attacker can reach an application endpoint or parameter that concatenates user-supplied input directly into a backend SQL query without adequate parameterisation, prepared statements, or input sanitisation. This allows injection of malicious SQL syntax that the database engine executes under the application's privilege context.
Impact
With a CVSS 3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the flaw is:
- Network-exploitable with no authentication required.
- Low complexity — no special conditions or user interaction needed.
- High impact across confidentiality, integrity, and availability.
The documented attacker outcome is retrieval of users' encrypted passwords. Depending on the database user's privileges and the application's architecture, injection could also facilitate data exfiltration, credential modification, or denial of service.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section describes the vulnerability class and detection strategies for defenders. It does not provide weaponised exploit code.
- Reconnaissance: Attackers typically scan for exposed WhatsUp Gold management interfaces on common web ports (HTTP/HTTPS).
- Injection point identification: Automated tools or manual testing identify parameters that accept user input and reflect SQL syntax errors or timing discrepancies.
- Data extraction: Using boolean-based or time-based blind SQL injection techniques, an adversary can slowly enumerate the database schema and extract credential tables.
- Post-exploitation: Retrieved encrypted passwords may be subjected to offline cracking if weak or outdated encryption is used, enabling further lateral movement.
Defenders should treat any WhatsUp Gold instance older than 2024.0.0 as potentially compromised if it is internet-facing.
Affected and Patched Versions
| Status | Version |
|---|---|
| Affected | WhatsUp Gold < 2024.0.0 |
| Patched | WhatsUp Gold 2024.0.0 and later |
Specific CPE: cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*
Remediation
- Upgrade immediately to WhatsUp Gold 2024.0.0 or the latest available release. Progress Software published a security bulletin in August 2024 addressing this issue.
- Restrict network exposure: Ensure WhatsUp Gold administrative interfaces are not exposed to the public internet. Place them behind a VPN or corporate firewall with strict IP allow-listing.
- Database privilege reduction: Run the application database user with the minimum privileges required. Avoid
dboorsa-level rights if possible. - Input validation & WAF: Deploy a Web Application Firewall (WAF) with SQL injection rules as a compensating control until patching is complete.
Detection
- Network: Monitor for anomalous HTTP requests containing SQL meta-characters (
',--,UNION,SELECT,SLEEP,WAITFOR DELAY) directed at WhatsUp Gold endpoints. - Database: Enable query logging and alert on long-running or syntactically unusual queries against the WhatsUp Gold database.
- Endpoint: Look for unexpected outbound connections from the WhatsUp Gold server, which may indicate follow-on exfiltration.
- Vulnerability scanning: Run authenticated and unauthenticated scans targeting CVE-2024-6670 signatures to confirm exposure.
Assessment
This vulnerability carries an EPSS score of 0.94661, placing it in the 99.85th percentile of observed CVEs for probability of exploitation. Its presence on the CISA Known Exploited Vulnerabilities catalog since 16 September 2024 confirms active, in-the-wild exploitation. Organisations should prioritise patching above routine maintenance windows.
Key lessons:
- Unauthenticated injection flaws in privileged applications are almost always Critical severity and demand emergency response.
- Network-monitoring tools sit at the centre of infrastructure visibility; their compromise can cascade into organisation-wide incidents.
References
Frequently asked questions
- What is CVE-2024-6670?
- In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
- How severe is CVE-2024-6670?
- CVE-2024-6670 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-6670 being actively exploited?
- Yes. CVE-2024-6670 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-09-16, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-6670?
- CVE-2024-6670 affects Progress Whatsup Gold. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-6670?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-6670 have an EU (EUVD) identifier?
- Yes. CVE-2024-6670 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-48017. It is also flagged as exploited in the EUVD (since 2024-09-16).
- When was CVE-2024-6670 published?
- CVE-2024-6670 was published on 2024-08-29 and last updated on 2026-06-17.
References
- https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
- https://www.progress.com/network-monitoring
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-6670
Affected products (1)
- cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*
More vulnerabilities in Progress Whatsup Gold
- CVE-2024-8785 — Critical (CVSS 9.8): In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to…
- CVE-2024-46909 — Critical (CVSS 9.8): In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability…
- CVE-2024-7763 — Critical (CVSS 9.8): In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to…
- CVE-2024-6671 — Critical (CVSS 9.8): In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL…
- CVE-2024-4885 — Critical (CVSS 9.8): In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress…
- CVE-2024-4884 — Critical (CVSS 9.8): In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress…
All CVEs affecting Progress Whatsup Gold →
Other CWE-89 (SQL Injection) vulnerabilities
- CVE-2026-54350 — Critical (CVSS 10.0): Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase…
- CVE-2026-8054 — Critical (CVSS 10.0): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints…
- CVE-2026-42287 — Critical (CVSS 10.0): Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and…
- CVE-2026-3325 — Critical (CVSS 10.0): SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the…
- CVE-2025-10878 — Critical (CVSS 10.0): A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26.…
- CVE-2025-57792 — Critical (CVSS 10.0): Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of…