CVE-2024-6670

CVE-2024-6670 is a critical-severity vulnerability in Progress Whatsup Gold with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-09-16). The underlying weakness is classified as CWE-89.

Key facts

Description

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

CVE-2024-6670: Critical SQL Injection in WhatsUp Gold Enables Unauthenticated Password Retrieval

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-6670
CWE CWE-89: Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection")
CVSS 3.1 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS 0.94661 (99.85th percentile)
KEV Yes — added 2024-09-16
Product Progress WhatsUp Gold
Affected Versions before 2024.0.0
Patched 2024.0.0

Summary

A critical SQL injection flaw in Progress WhatsUp Gold, versions released prior to 2024.0.0, permits an unauthenticated remote attacker to inject arbitrary SQL commands. Successful exploitation can lead to retrieval of encrypted user passwords and potentially broader database compromise, earning a CVSS 3.1 base score of 9.8 (Critical).

Background

WhatsUp Gold is a network-monitoring platform developed by Progress Software, widely deployed to monitor infrastructure health, performance, and availability. Because the application typically runs with elevated database privileges and stores sensitive credentials, it represents a high-value target for attackers seeking lateral access across monitored environments.

Root Cause

The vulnerability is classified as CWE-89: SQL Injection. An unauthenticated attacker can reach an application endpoint or parameter that concatenates user-supplied input directly into a backend SQL query without adequate parameterisation, prepared statements, or input sanitisation. This allows injection of malicious SQL syntax that the database engine executes under the application's privilege context.

Impact

With a CVSS 3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the flaw is:

  • Network-exploitable with no authentication required.
  • Low complexity — no special conditions or user interaction needed.
  • High impact across confidentiality, integrity, and availability.

The documented attacker outcome is retrieval of users' encrypted passwords. Depending on the database user's privileges and the application's architecture, injection could also facilitate data exfiltration, credential modification, or denial of service.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: This section describes the vulnerability class and detection strategies for defenders. It does not provide weaponised exploit code.

  1. Reconnaissance: Attackers typically scan for exposed WhatsUp Gold management interfaces on common web ports (HTTP/HTTPS).
  2. Injection point identification: Automated tools or manual testing identify parameters that accept user input and reflect SQL syntax errors or timing discrepancies.
  3. Data extraction: Using boolean-based or time-based blind SQL injection techniques, an adversary can slowly enumerate the database schema and extract credential tables.
  4. Post-exploitation: Retrieved encrypted passwords may be subjected to offline cracking if weak or outdated encryption is used, enabling further lateral movement.

Defenders should treat any WhatsUp Gold instance older than 2024.0.0 as potentially compromised if it is internet-facing.

Affected and Patched Versions

Status Version
Affected WhatsUp Gold < 2024.0.0
Patched WhatsUp Gold 2024.0.0 and later

Specific CPE: cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*

Remediation

  1. Upgrade immediately to WhatsUp Gold 2024.0.0 or the latest available release. Progress Software published a security bulletin in August 2024 addressing this issue.
  2. Restrict network exposure: Ensure WhatsUp Gold administrative interfaces are not exposed to the public internet. Place them behind a VPN or corporate firewall with strict IP allow-listing.
  3. Database privilege reduction: Run the application database user with the minimum privileges required. Avoid dbo or sa-level rights if possible.
  4. Input validation & WAF: Deploy a Web Application Firewall (WAF) with SQL injection rules as a compensating control until patching is complete.

Detection

  • Network: Monitor for anomalous HTTP requests containing SQL meta-characters (', --, UNION, SELECT, SLEEP, WAITFOR DELAY) directed at WhatsUp Gold endpoints.
  • Database: Enable query logging and alert on long-running or syntactically unusual queries against the WhatsUp Gold database.
  • Endpoint: Look for unexpected outbound connections from the WhatsUp Gold server, which may indicate follow-on exfiltration.
  • Vulnerability scanning: Run authenticated and unauthenticated scans targeting CVE-2024-6670 signatures to confirm exposure.

Assessment

This vulnerability carries an EPSS score of 0.94661, placing it in the 99.85th percentile of observed CVEs for probability of exploitation. Its presence on the CISA Known Exploited Vulnerabilities catalog since 16 September 2024 confirms active, in-the-wild exploitation. Organisations should prioritise patching above routine maintenance windows.

Key lessons:

  1. Unauthenticated injection flaws in privileged applications are almost always Critical severity and demand emergency response.
  2. Network-monitoring tools sit at the centre of infrastructure visibility; their compromise can cascade into organisation-wide incidents.

References

Frequently asked questions

What is CVE-2024-6670?
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
How severe is CVE-2024-6670?
CVE-2024-6670 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-6670 being actively exploited?
Yes. CVE-2024-6670 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-09-16, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-6670?
CVE-2024-6670 affects Progress Whatsup Gold. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-6670?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-6670 have an EU (EUVD) identifier?
Yes. CVE-2024-6670 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-48017. It is also flagged as exploited in the EUVD (since 2024-09-16).
When was CVE-2024-6670 published?
CVE-2024-6670 was published on 2024-08-29 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Progress Whatsup Gold

All CVEs affecting Progress Whatsup Gold →

Other CWE-89 (SQL Injection) vulnerabilities

Browse all CWE-89 (SQL Injection) vulnerabilities →