This page lists publicly disclosed CVE vulnerabilities affecting progress whatsup_gold (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-2572 | In WhatsUp Gold versions released before 2024.0.3, a database manipulation vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup. | [email protected] | 5.6 | 0.00% | 2025-04-14 | 2025-07-17 |
| CVE-2024-12108 | In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API. | [email protected] | 9.6 | 21.75% | 2024-12-31 | 2025-01-06 |
| CVE-2024-12106 | In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. | [email protected] | 9.4 | 32.66% | 2024-12-31 | 2025-01-06 |
| CVE-2024-12105 | In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure. | [email protected] | 6.5 | 9.37% | 2024-12-31 | 2025-01-08 |
| CVE-2024-8785 | In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\. | [email protected] | 9.8 | 4.04% | 2024-12-02 | 2024-12-09 |
| CVE-2024-46909 | In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account. | [email protected] | 9.8 | 40.81% | 2024-12-02 | 2024-12-10 |
| CVE-2024-46908 | In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | [email protected] | 8.8 | 1.71% | 2024-12-02 | 2024-12-10 |
| CVE-2024-46907 | In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | [email protected] | 8.8 | 1.71% | 2024-12-02 | 2024-12-10 |
| CVE-2024-46906 | In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | [email protected] | 8.8 | 26.99% | 2024-12-02 | 2024-12-06 |
| CVE-2024-46905 | In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account. | [email protected] | 8.8 | 1.71% | 2024-12-02 | 2024-12-03 |
| CVE-2024-7763 | In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. | [email protected] | 9.8 | 0.20% | 2024-10-24 | 2024-10-30 |
| CVE-2024-6672 | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password. | [email protected] | 8.8 | 1.92% | 2024-08-29 | 2024-09-04 |
| CVE-2024-6671 | In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | [email protected] | 9.8 | 76.18% | 2024-08-29 | 2024-09-04 |
| CVE-2024-6670 KEV | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | [email protected] | 9.8 | 94.47% | 2024-08-29 | 2025-10-31 |
| CVE-2024-5019 | In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges. | [email protected] | 5.3 | 0.22% | 2024-06-25 | 2024-11-21 |
| CVE-2024-5018 | In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory . | [email protected] | 5.3 | 0.22% | 2024-06-25 | 2024-11-21 |
| CVE-2024-5017 | In WhatsUp Gold versions released before 2023.1.3, a path traversal vulnerability exists. A specially crafted unauthenticated HTTP request to AppProfileImport can lead can lead to information disclosure. | [email protected] | 6.5 | 1.18% | 2024-06-25 | 2024-11-21 |
| CVE-2024-5016 | In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploited by using a deserialization tool to achieve a Remote Code Execution as SYSTEM. The vulnerability exists in the main message processing routines NmDistributed.DistributedServiceBehavior.OnMessage for server and NmDistributed.DistributedClient.OnMessage for clients. | [email protected] | 7.2 | 6.19% | 2024-06-25 | 2024-11-21 |
| CVE-2024-5015 | In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges to Admin. | [email protected] | 7.1 | 0.09% | 2024-06-25 | 2024-11-21 |
| CVE-2024-5014 | In WhatsUp Gold versions released before 2023.1.3, a Server Side Request Forgery vulnerability exists in the GetASPReport feature. This allows any authenticated user to retrieve ASP reports from an HTML form. | [email protected] | 7.1 | 0.06% | 2024-06-25 | 2024-11-21 |