Organizations could have their enterprise environments hijacked through attacks exploiting a critical remote code execution vulnerability in Progress Software's enterprise network monitoring and management tool WhatsUp Gold, which could facilitate arbitrary code execution, according to SecurityWeek.
Such a flaw, tracked as CVE-2024-4885, stems from improper user input validation of the GetFileWithoutZip method adopted by WhatsUp Gold, noted Summoning Team, which identified and disclosed the issue.
Despite having been patched in May alongside several other critical and high-severity bugs, many of the 1,200 internet-exposed WhatsUp instances may still be at risk of being compromised in attacks following the release of a proof-of-concept exploit, reported Censys.
"These vulnerabilities can expose customers to exploitation. While we have not seen evidence of a known exploit, your system(s) could be compromised – including unauthorized access to a root account," said Progress in a June advisory, which urged an immediate upgrade for WhatsUp Gold releases up to 23.1.2.
