CVE-2024-4885: WhatsUp Gold GetFileWithoutZip Directory Traversal Remote Code Execution Vulnerability

9.8 CVSS

Description

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.  The

WhatsUp.ExportUtilities.Export.GetFileWithoutZip

allows execution of commands with iisapppool\nmconsole privileges.

Known Exploited

🚨 Marked as known exploited on March 3rd, 2025 (about 2 months ago).

Classification

CVE ID: CVE-2024-4885

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected Products

Vendor: Progress Software Corporation

Product: WhatsUp Gold

Nuclei Template

http/cves/2024/CVE-2024-4885.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 93.68% (probability of being exploited)

EPSS Percentile: 99.84% (scored less or equal to compared to others)

EPSS Date: 2025-04-01 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: active

SSVC Technical Impact: total

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-4885
https://www.progress.com/network-monitoring
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024

Timeline