Jun 9, 2022
The following vulnerabilities were discovered in Progress Ipswitch WhatsUp Gold:
The adivsory from Progress can be found here.
When combined, these vulnerabilities lead to a critical impact. An attacker can obtain the plain-text password of all users registered in WhatsUp Gold. Using these passwords, it is then possible to authenticate to WhatsUp gold and then perform further attacks (local file disclosure, authenticated SSRF).
As per the advisory from Progress, please see the table below for affected software versions:
WhatsUp® Gold provides complete visibility to everything that’s connected to your network. The unique interactive map lets you see network devices, servers, virtual machines, cloud and wireless environments in context so you can diagnose issues with pinpoint accuracy.
The remediation details provided from Progress’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The knowledge base article detailing the patches or workaround to apply can be found here.
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team
The timeline for this disclosure process can be found below: