CVE-2024-6670 and CVE-2024-6671 Detection: RCE Attacks Exploiting Critical SQL Injection Vulnerabilities in WhatsUp Gold
Table of contents:
Hackers are weaponizing PoC exploits for newly identified vulnerabilities in Progress Software WhatsUp Gold for in-the-wild attacks. Defenders have recently uncovered RCE attacks exploiting the critical SQL injection flaws tracked as CVE-2024-6670 and CVE-2024-6671. Notably, CVE-2024-6670 has been added to CISA’s Known Exploited Vulnerabilities Catalog.
Detect CVE-2024-6670, CVE-2024-6671 Progress WhatsUp Gold Exploits
In 2024, nearly 28,000 vulnerabilities were discovered, reflecting a 39% increase compared to the previous year. As the attack surface continues to expand, cyber defenders face growing challenges in timely detecting exploitation attempts. SOC Prime’s Platform for collective cyber defense addresses this by offering a vast collection of detection rules, ensuring critical CVEs are covered with relevant detections within a 24-hour SLA.
The latest vulnerabilities in the limelight are critical WhatsUp Gold flaws (CVE-2024-6670, CVE-2024-6671) being actively exploited in the wild. To spot possible exploitation attempts, security professionals might use a tailored Sigma rule set already available in the SOC Prime Platform. Just hit the Explore Detections button below and immediately drill down to the rule collection.
The detections are compatible with 30+ SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework to streamline threat investigation. Additionally, rules are enriched with extensive metadata, including threat intel references, attack timelines, and triage recommendations.
Security professionals looking for more curated detection content addressing vulnerability exploitation attempts might access the relevant Sigma rules stack by browsing Threat Detection Marketplace with “CVE” tag.
CVE-2024-6670 and CVE-2024-6671 Analysis
Trend Micro researchers have recently observed RCE attacks on Progress Software WhatsUp Gold weaponizing the Active Monitor PowerShell Script feature since August 30, 2024. Two SQL injection flaws targeted in these attacks, which are tracked as CVE-2024-6670 and CVE-2024-6671, give attackers the green light to retrieve encrypted passwords without authentication. Both critical vulnerabilities, with the CVSS score reaching 9.8 and affecting WhatsUp Gold versions released before 2024.0.0, were patched by the vendor in mid-August. However, the release of a public PoC exploit for CVE-2024-6670, which displays how to overwrite an arbitrary string as the new password, escalates the risk of abusing WhatsUp Gold vulnerabilities in the wild.
Notably, Trend Micro investigation detected the initial signs of active exploitation just five hours after the PoC exploit code release. Threat actors take advantage of WhatsUp Gold’s legitimate Active Monitor PowerShell Script functionality to execute multiple PowerShell scripts using NmPoller.exe, which are fetched from remote URLs. Attackers then leverage the legitimate Windows utility “msiexec.exe” to install several remote access tools via MSI packages, including Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote. By deploying them, adversaries ensure persistence on the impacted devices.
As potential CVE-2024-6670 and CVE-2024-6671 mitigation measures, defenders strongly recommend upgrading to the latest patched software version per vendor guidelines, restricting access to the management console and API endpoints, and always applying strong passwords.
With the constantly increasing volume of cyber attacks exploiting known vulnerabilities, including CVE-2024-6670 added to CISA’s catalog and CVE-2024-6671, enterprises that rely on popular software products are searching for future-proof solutions to strengthen their defenses. By leveraging SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, organizations can equip their security teams with cost-efficient enterprise-ready solutions to risk-optimize the cybersecurity posture.