VYPR
Vendor

Ipswitch, Inc.

Ipswitch is an IT management software developer for small and medium sized businesses. The company was founded in 1991 and is headquartered in Burlington, Massachusetts and has operations in Atlanta (Alpharetta) and Augusta, Georgia, American Fork, Utah, Madison, Wisconsin and Galway, Ireland. Ipswitch sells its products directly, as well as through distributors, resellers and OEMs in the United States, Canada, Latin America, Europe and the Pacific Rim. Since 2019, Ipswitch is part of Progress Software.

Founded 1991
Products
28
CVEs
158
Across products
208
Status
Private

Products

28

Recent CVEs

158
View all 158 CVEs →
  • CVE-2015-8261CriJan 8, 2016
    risk 0.67cvss 9.8epss 0.04

    The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.

  • CVE-2018-8939CriMay 1, 2018
    risk 0.64cvss 9.8epss 0.01

    An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold…

  • CVE-2018-8938CriMay 1, 2018
    risk 0.64cvss 9.8epss 0.02

    A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server.

  • CVE-2018-5778CriJan 24, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2018-5777CriJan 24, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Remote clients can take advantage of a misconfiguration in the TFTP server that could allow attackers to execute arbitrary commands on the TFTP server via unspecified vectors.

  • CVE-2017-12639CriOct 3, 2017
    risk 0.64cvss 9.8epss 0.03

    Stack based buffer overflow in Ipswitch IMail server up to and including 12.5.5 allows remote attackers to execute arbitrary code via unspecified vectors in IMmailSrv, aka ETRE or ETCTERARED.

  • CVE-2017-12638CriOct 3, 2017
    risk 0.64cvss 9.8epss 0.03

    Stack based buffer overflow in Ipswitch IMail server up to and including 12.5.5 allows remote attackers to execute arbitrary code via unspecified vectors in IMmailSrv, aka ETBL or ETCETERABLUE.

  • CVE-2017-6195CriMay 18, 2017
    risk 0.64cvss 9.8epss 0.02

    Ipswitch MOVEit Transfer (formerly DMZ) allows pre-authentication blind SQL injection. The fixed versions are MOVEit Transfer 2017 9.0.0.201, MOVEit DMZ 8.3.0.30, and MOVEit DMZ 8.2.0.20.

  • CVE-2016-1000000HigOct 6, 2016
    risk 0.57cvss 8.8epss 0.01

    Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection

  • CVE-2015-7678HigFeb 10, 2016
    risk 0.57cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Ipswitch MOVEit Mobile 1.2.0.962 and earlier allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2017-16513HigNov 3, 2017
    risk 0.54cvss 7.8epss 0.02

    Ipswitch WS_FTP Professional before 12.6.0.3 has buffer overflows in the local search field and the backup locations field, aka WSCLT-1729.

  • CVE-2025-10932HigOct 29, 2025
    risk 0.53cvss 8.2epss 0.00

    Uncontrolled Resource Consumption vulnerability in Progress MOVEit Transfer (AS2 module).This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.3, from 2024.1.0 before 2024.1.7, from 2023.1.0 before 2023.1.16.

  • CVE-2005-2160HigJul 6, 2005
    risk 0.49cvss 7.5epss 0.02

    IMail stores usernames and passwords in cleartext in a cookie, which allows remote attackers to obtain sensitive information.

  • CVE-2015-6005MedDec 27, 2015
    risk 0.45cvss 6.9epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap message, (3) the View Names field, (4) the Group Names field, (5) the Flow Monitor…

  • CVE-2015-7675MedFeb 10, 2016
    risk 0.42cvss 6.5epss 0.03

    The "Send as attachment" feature in Ipswitch MOVEit DMZ before 8.2 and MOVEit Mobile before 1.2.2 allow remote authenticated users to bypass authorization and read uploaded files via a valid FileID in the (1) serverFileIds parameter to mobile/sendMsg or (2) arg01 parameter to…

  • CVE-2015-6004MedDec 27, 2015
    risk 0.42cvss 6.5epss 0.02

    Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter.

  • CVE-2018-6545MedFeb 2, 2018
    risk 0.40cvss 6.1epss 0.02

    Ipswitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability, as demonstrated by human.aspx. Attackers can leverage this vulnerability to send malicious messages to other users in order to steal session cookies and launch client-side attacks.

  • CVE-2015-7679MedFeb 10, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Ipswitch MOVEit Mobile before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the query string to mobile/.

  • CVE-2015-7676MedApr 15, 2016
    risk 0.35cvss 5.4epss 0.02

    Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when configured to support file view on download, allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading HTML files.

  • CVE-2015-7680MedFeb 10, 2016
    risk 0.35cvss 5.3epss 0.02

    Ipswitch MOVEit DMZ before 8.2 provides different error messages for authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of SOAP requests to machine.aspx.