CVE-2024-4885

Name of the Vulnerable Software and Affected Versions: Progress WhatsUp Gold versions prior to 2023.1.3

Description: The issue concerns an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold, specifically affecting the GetFileWithoutZip method. This vulnerability allows execution of commands with iisapppool mconsole privileges. It is related to incorrect restriction of the path to a directory with limited access, enabling remote attackers to execute arbitrary code on the server using specially crafted JSON data. Over 1,200 WhatsUp Gold systems are at risk, and the vulnerability is being actively exploited, posing a significant threat to network security.

Recommendations: For versions prior to 2023.1.3, update to version 2023.1.3 or later to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the GetFileWithoutZip method until a patch is applied. Additionally, users should avoid using the vulnerable GetFileWithoutZip method in the affected API endpoint until the issue is resolved.