What happened

CISA added CVE-2024-4885 to the Known Exploited Vulnerabilities catalog on 2025-03-03, signaling confirmed exploitation in the wild CISA KEV. The issue is a path traversal flaw (CWE-22) in Progress WhatsUp Gold that enables an unauthenticated attacker to execute code remotely NVD entry. CISA’s entry lists a required action to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations aren’t available CISA KEV. The federal remediation due date is 2025-03-24 per the KEV listing CISA KEV. The CVE record tracks the vulnerability against Progress WhatsUp Gold and classifies it under CWE-22 path traversal MITRE CVE record.

Why it matters

Inclusion in the KEV list means exploitation has been observed, and CISA is directing urgent remediation CISA KEV. Unauthenticated remote code execution is a worst-case web-exposed outcome: initial access with no creds required and arbitrary code on the target service NVD entry. Because this is a path traversal class issue (CWE-22), the bug breaks directory restrictions and can be leveraged to impact confidentiality, integrity, and availability on the affected host NVD entry. The combination—KEV-confirmed exploitation plus unauthenticated RCE—puts this on the immediate patch list for any environment running Progress WhatsUp Gold CISA KEV.

Technical detail

CVE-2024-4885 is categorized under CWE-22, Improper Limitation of a Pathname to a Restricted Directory, commonly called path traversal NVD entry. Path traversal occurs when user-controlled input influences file system paths without correct canonicalization or enforcement of allowed directories, allowing access outside intended boundaries NVD entry. In this case, the vulnerability exists in Progress WhatsUp Gold, and the impact extends to unauthenticated remote code execution per the CVE description MITRE CVE record. CISA’s KEV entry confirms active exploitation and mandates remediation by 2025-03-24 for federal agencies subject to BOD 22-01 CISA KEV. The vulnerability is explicitly identified as affecting Progress WhatsUp Gold; consult the CVE entry for authoritative status and references as they update NVD entry.

While the CVE and KEV records do not enumerate exploit specifics in the public summary, the relationship between CWE-22 and file-system access makes abuse pathways straightforward once input controls are bypassed NVD entry. Because the attack is unauthenticated, exposure of the vulnerable interface to untrusted networks increases risk materially, aligning with CISA’s accelerated remediation directive in the KEV CISA KEV.

Defense

• Patch/mitigate immediately per the vendor’s guidance; if mitigations are unavailable, CISA directs discontinuing use until risk is removed CISA KEV.
• If you are a U.S. federal civilian agency, meet the 2025-03-24 remediation due date under KEV/BOD 22-01; prioritize this CVE in emergency change windows CISA KEV.
• Limit exposure of WhatsUp Gold interfaces to trusted networks while you validate patch status, given unauthenticated RCE is in scope per the CVE NVD entry.
• Review logs surrounding any externally accessible endpoints that map to file access or request routing paths for signs consistent with CWE-22 abuse; treat anomalies as potential compromise NVD entry.
• Perform compromise assessment on the host(s) running the product: look for unexpected binaries, scripts, or service modifications aligned to RCE outcomes described in the CVE MITRE CVE record.
• Prepare rollback and credential hygiene steps if suspicious activity is found (service accounts, API tokens, and integrations), given the RCE impact domain documented in the CVE NVD entry.
• Track the official records for updates and any additional references or vendor guidance linked from CISA and NVD as they evolve CISA KEV.

Lyrie Verdict

This is a KEV-listed, unauthenticated RCE from a CWE-22 path traversal in a widely deployed monitoring product—an ideal target for automated opportunistic exploitation NVD CVE-2024-4885. Lyrie’s stance: treat all path-traversal-to-RCE surfaces as machine-speed attack vectors and instrument autonomous controls accordingly. Concretely, Lyrie auto-correlates inbound request features indicative of traversal attempts with file-access anomalies and post-request process creation on the affected service to elevate to confirmed exploitation in near-real time CISA KEV. When confidence crosses threshold, Lyrie executes kill-switch actions—segmentation of the target, request sinkholing, and revocation of newly created artifacts—to cut attacker loops without waiting for human triage, then opens a forensics workflow tied to the CVE record for auditable response MITRE CVE record.