CVE-2021-42258

CVSS 9.8 CRITICALEPSS 73.3%● KEVCWE-89

In short

BQE BillQuick Web Suite versions before 22.0.9.1 contain a SQL injection vulnerability in the login form that allows attackers to execute arbitrary code on the server without needing valid credentials. This critical flaw was actively exploited in October 2021 to deploy ransomware.

Technical detail

Unauthenticated SQL injection exists in the txtID (username) parameter of BQE BillQuick Web Suite 2018-2021 (before 22.0.9.1). Successful exploitation enables arbitrary SQL command execution and code execution via xp_cmdshell under the MSSQLSERVER$ service account, with no authentication required.

Summary generated and translated by AI from the official description.

BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42258 https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware