CVE-2024-6670 Overview
CVE-2024-6670 is a critical SQL Injection vulnerability affecting Progress WhatsUp Gold network monitoring software in versions released before 2024.0.0. This vulnerability allows an unauthenticated attacker to retrieve users' encrypted passwords through specially crafted SQL queries, potentially leading to complete system compromise.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Unauthenticated attackers can extract encrypted user credentials, enabling credential theft and potential lateral movement across monitored network infrastructure.
Affected Products
- Progress WhatsUp Gold versions prior to 2024.0.0
- All deployments of WhatsUp Gold network monitoring software before the August 2024 security update
- Enterprise network monitoring installations using vulnerable WhatsUp Gold versions
Discovery Timeline
- 2024-08-29 - CVE-2024-6670 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2024-6670
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in Progress WhatsUp Gold's authentication handling components. The flaw allows unauthenticated remote attackers to inject malicious SQL statements into application queries, bypassing authentication controls entirely. When exploited successfully, attackers can extract encrypted password hashes from the underlying database without requiring any prior authentication or user interaction.
The vulnerability is particularly dangerous because WhatsUp Gold is a network monitoring platform that typically has broad visibility across enterprise infrastructure. Compromising this system could provide attackers with credentials for network devices, servers, and other monitored assets.
Root Cause
The root cause of CVE-2024-6670 is improper input validation and insufficient sanitization of user-supplied data before it is incorporated into SQL queries. The application fails to properly parameterize database queries, allowing malicious SQL syntax to be interpreted as executable commands rather than data. This classic SQL Injection pattern enables attackers to manipulate query logic and extract sensitive information directly from the database.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no authentication and no user interaction. An attacker with network access to a vulnerable WhatsUp Gold instance can craft malicious HTTP requests containing SQL injection payloads. These payloads manipulate the application's database queries to return encrypted user credentials.
The attack flow typically involves:
- Identifying an exposed WhatsUp Gold instance
- Crafting SQL injection payloads targeting authentication-related endpoints
- Extracting encrypted password hashes from the database
- Attempting offline cracking of the retrieved credentials
- Using compromised credentials for further access to monitored systems
Detection Methods for CVE-2024-6670
Indicators of Compromise
- Unusual database query patterns containing SQL injection syntax such as UNION SELECT, OR 1=1, or comment sequences
- Unexpected authentication failures followed by successful logins from the same source
- Anomalous data extraction volumes from the WhatsUp Gold database
- Web application logs showing malformed or suspicious parameter values in authentication requests
Detection Strategies
- Monitor web application firewall (WAF) logs for SQL injection patterns targeting WhatsUp Gold endpoints
- Implement database activity monitoring to detect unauthorized credential table queries
- Review IIS or web server logs for suspicious requests with SQL syntax in parameters
- Deploy network intrusion detection rules for known SQL injection attack patterns
Monitoring Recommendations
- Enable verbose logging on WhatsUp Gold application servers and correlate with SIEM systems
- Configure alerts for failed authentication attempts followed by database query anomalies
- Monitor for outbound connections from the WhatsUp Gold server to unexpected destinations
- Implement file integrity monitoring on WhatsUp Gold configuration and binary directories
How to Mitigate CVE-2024-6670
Immediate Actions Required
- Upgrade to Progress WhatsUp Gold version 2024.0.0 or later immediately
- Restrict network access to WhatsUp Gold management interfaces using firewall rules
- Review authentication logs for signs of prior exploitation
- Rotate all user credentials stored in WhatsUp Gold after patching
Patch Information
Progress Software has released a security update addressing CVE-2024-6670 in WhatsUp Gold version 2024.0.0. Organizations should consult the Progress Security Bulletin August 2024 for detailed upgrade instructions and additional security guidance. Given that this vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, federal agencies and critical infrastructure operators face mandatory remediation deadlines.
Workarounds
- Isolate WhatsUp Gold servers from direct internet exposure using network segmentation
- Implement a web application firewall (WAF) with SQL injection detection rules in front of WhatsUp Gold
- Enable multi-factor authentication for all administrative access to reduce impact of credential theft
- Configure database access controls to limit the WhatsUp Gold service account privileges to minimum required
# Network isolation example - restrict access to WhatsUp Gold web interface
# Windows Firewall rule to limit management access to specific admin network
netsh advfirewall firewall add rule name="WhatsUp Gold Admin Access" dir=in action=allow protocol=tcp localport=443 remoteip=10.0.0.0/24
netsh advfirewall firewall add rule name="Block WhatsUp Gold External" dir=in action=block protocol=tcp localport=443 remoteip=any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
