CVE-2024-12108 Overview
CVE-2024-12108 is an authentication weakness [CWE-290] affecting Progress WhatsUp Gold versions released before 2024.0.2. An attacker can gain unauthorized access to the WhatsUp Gold server through the product's public API. The flaw allows a low-privileged remote actor to compromise the management server, leading to a scope change with high impact on confidentiality and integrity.
The vulnerability has a forecasted exploitation probability of 21.753% (EPSS percentile 95.822), placing it in the top tier of likely-to-be-exploited issues despite no public proof-of-concept being available. Progress has released a fixed version to address the issue.
Critical Impact
Remote attackers can bypass authentication controls on the WhatsUp Gold public API to gain server access, exposing network monitoring credentials, device inventories, and management functions.
Affected Products
- Progress WhatsUp Gold versions prior to 2024.0.2
- Microsoft Windows hosts running affected WhatsUp Gold installations
- Network monitoring deployments exposing the WhatsUp Gold public API
Discovery Timeline
- 2024-12-31 - CVE-2024-12108 published to NVD
- 2025-01-06 - Last updated in NVD database
Technical Details for CVE-2024-12108
Vulnerability Analysis
CVE-2024-12108 is classified under [CWE-290] Authentication Bypass by Spoofing. The defect resides in the public API surface of Progress WhatsUp Gold, a Windows-based network monitoring platform. Attackers reach the API over the network and supply crafted requests that the server treats as trusted, bypassing intended authentication enforcement.
Successful exploitation grants access to the WhatsUp Gold server itself, not merely a single API endpoint. Because WhatsUp Gold stores credentials for SNMP, WMI, SSH, and other management protocols used to poll monitored devices, server compromise can pivot into broader network access. The scope-changed impact means the vulnerable component affects resources beyond its own security boundary.
Root Cause
The root cause is improper validation of authentication claims presented to the public API in builds before 2024.0.2. Authentication-by-spoofing weaknesses in [CWE-290] typically arise when the server accepts attacker-controlled identifiers, tokens, or headers without verifying their authenticity against a trusted source. Progress has not published low-level technical detail, but the fix is delivered through the 2024.0.2 release.
Attack Vector
Exploitation requires network access to the WhatsUp Gold API endpoint and a low-privilege foothold. No user interaction is required. An attacker sends crafted API requests to the WhatsUp Gold server, forces the application to honor unverified credentials or session material, and obtains privileged server access. Public technical details and proof-of-concept code are not currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Progress Network Monitoring Resource for vendor information.
Detection Methods for CVE-2024-12108
Indicators of Compromise
- Unexpected authenticated sessions or API calls to WhatsUp Gold endpoints originating from external or non-administrative IP addresses.
- New or modified user accounts, monitoring credentials, or scheduled tasks within WhatsUp Gold that cannot be tied to a change record.
- Outbound connections from the WhatsUp Gold server to unknown infrastructure shortly after anomalous API activity.
Detection Strategies
- Inspect WhatsUp Gold web server and application logs for API requests that succeed without a corresponding prior login event.
- Correlate API access logs with authentication logs to surface sessions whose origin or token lifecycle does not match expected workflows.
- Baseline normal public API consumers and alert on deviations in user agents, source IPs, or request volume.
Monitoring Recommendations
- Forward WhatsUp Gold IIS, application, and Windows event logs to a centralized SIEM for retention and correlation.
- Monitor process creation on the WhatsUp Gold host for unexpected child processes spawned by the web application worker.
- Track changes to WhatsUp Gold configuration files, credential libraries, and database tables that store device credentials.
How to Mitigate CVE-2024-12108
Immediate Actions Required
- Upgrade Progress WhatsUp Gold to version 2024.0.2 or later on every server in the environment.
- Restrict network exposure of the WhatsUp Gold public API to trusted management subnets using host or network firewalls.
- Rotate credentials stored within WhatsUp Gold, including SNMP community strings, WMI accounts, and SSH keys used for device polling.
Patch Information
Progress addressed the issue in WhatsUp Gold 2024.0.2. Administrators should download the current release from Progress and follow the upgrade procedure on the Progress Network Monitoring Resource page. Validate the installed build after upgrade and confirm that the public API no longer accepts unauthenticated or spoofed authentication requests.
Workarounds
- Block external access to the WhatsUp Gold API port at the perimeter until the patch is applied.
- Place the WhatsUp Gold server behind a reverse proxy that enforces client certificate authentication or IP allow-listing.
- Disable any unused API integrations and remove inactive API user accounts to reduce the attack surface.
# Configuration example: restrict WhatsUp Gold API access on Windows with firewall rules
New-NetFirewallRule -DisplayName "WUG-API-Allow-MgmtSubnet" `
-Direction Inbound -Protocol TCP -LocalPort 9643 `
-RemoteAddress 10.10.20.0/24 -Action Allow
New-NetFirewallRule -DisplayName "WUG-API-Block-All" `
-Direction Inbound -Protocol TCP -LocalPort 9643 `
-RemoteAddress Any -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
