cbcvebase.
CVE-2021-42258
published 2021-10-22

CVE-2021-42258: BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
73.27%
99.4th percentile
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

Affected

1 ranges
VendorProductVersion rangeFixed in
bqebillquick_web_suite>= 19 < 22.0.9.122.0.9.1

Detection & IOCsextracted from sources · hover to see the quote

commandxp_cmdshell
othertxtID=uname%27&txtPW=passwd&hdnClientDPI=96
sigma
words: ['System.Data.SqlClient.SqlException', 'Incorrect syntax near', '_ACCOUNTLOCKED'] condition: and
  • Detect SQL injection attempts against BillQuick Web Suite login by monitoring POST requests to the root path with a single-quote injected in the txtID (username) parameter (e.g., txtID=<value>').
  • Alert on HTTP responses containing all three strings simultaneously: 'System.Data.SqlClient.SqlException', 'Incorrect syntax near', and '_ACCOUNTLOCKED' — this is the error-based SQLi response fingerprint for successful injection triggering.
  • Monitor for unauthenticated POST requests to BillQuick Web Suite login page with __EVENTTARGET=cmdOK and a single-quote or SQL metacharacter in the txtID field, indicating exploitation attempts.
  • The vulnerability does not support stacked queries but does support error-based SQL injection, allowing extraction of database name, banner, user, hostname, and the SecurityTable (user table) without authentication.
  • Post-exploitation: watch for MSSQLSERVER$ process spawning child processes (e.g., cmd.exe, powershell.exe) as a result of xp_cmdshell abuse, consistent with ransomware installation observed in October 2021 wild exploitation.
  • ·The application requires MSSQL as the backend database; the SQL injection vector and xp_cmdshell RCE path are only applicable in MSSQL-backed deployments.
  • ·The webapp uses an unknown password security algorithm, which may complicate credential harvesting from the extracted SecurityTable even after successful SQLi.
  • ·Exploitation is unauthenticated — no prior credentials or session are required, making this exploitable directly from the internet against exposed instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.