CVE-2021-42258
published 2021-10-22CVE-2021-42258: BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
73.27%
99.4th percentile
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bqe | billquick_web_suite | >= 19 < 22.0.9.1 | 22.0.9.1 |
Detection & IOCsextracted from sources · hover to see the quote
othertxtID=uname%27&txtPW=passwd&hdnClientDPI=96
sigma
words: ['System.Data.SqlClient.SqlException', 'Incorrect syntax near', '_ACCOUNTLOCKED'] condition: and
- →Detect SQL injection attempts against BillQuick Web Suite login by monitoring POST requests to the root path with a single-quote injected in the txtID (username) parameter (e.g., txtID=<value>'). ↗
- →Alert on HTTP responses containing all three strings simultaneously: 'System.Data.SqlClient.SqlException', 'Incorrect syntax near', and '_ACCOUNTLOCKED' — this is the error-based SQLi response fingerprint for successful injection triggering.
- →Monitor for unauthenticated POST requests to BillQuick Web Suite login page with __EVENTTARGET=cmdOK and a single-quote or SQL metacharacter in the txtID field, indicating exploitation attempts.
- →The vulnerability does not support stacked queries but does support error-based SQL injection, allowing extraction of database name, banner, user, hostname, and the SecurityTable (user table) without authentication. ↗
- →Post-exploitation: watch for MSSQLSERVER$ process spawning child processes (e.g., cmd.exe, powershell.exe) as a result of xp_cmdshell abuse, consistent with ransomware installation observed in October 2021 wild exploitation. ↗
- ·The application requires MSSQL as the backend database; the SQL injection vector and xp_cmdshell RCE path are only applicable in MSSQL-backed deployments. ↗
- ·The webapp uses an unknown password security algorithm, which may complicate credential harvesting from the extracted SecurityTable even after successful SQLi. ↗
- ·Exploitation is unauthenticated — no prior credentials or session are required, making this exploitable directly from the internet against exposed instances. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
BQE BillQuick Web Suite SQL Injection Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-42258 [CRITICAL] CWE-89 BQE BillQuick Web Suite SQL Injection Vulnerability
Vulnerability: BQE BillQuick Web Suite SQL Injection Vulnerability
Affected: BQE BillQuick Web Suite
BQE BillQuick Web Suite contains an SQL injection vulnerability when accessing the username parameter that may allow for unauthenticated, remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-42258
Remediation Due Date: 2021-11-17
GHSA
GHSA-69qp-6hh5-mpjp: BQE BillQuick Web Suite 2018 through 2021 before 22
ghsa_unreviewed·2022-05-24
CVE-2021-42258 [CRITICAL] CWE-89 GHSA-69qp-6hh5-mpjp: BQE BillQuick Web Suite 2018 through 2021 before 22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
VulnCheck
BQE BillQuick Web Suite SQL Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-42258 [CRITICAL] CWE-89 BQE BillQuick Web Suite SQL Injection Vulnerability
BQE BillQuick Web Suite SQL Injection Vulnerability
BQE BillQuick Web Suite contains an SQL injection vulnerability when accessing the username parameter that may allow for unauthenticated, remote code execution.
Affected: BQE BillQuick Web Suite
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2021-42258; https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://static.tenable.com/marketing/whitepapers/Whitepaper-Ransomware_Ecosystem.pdf
Remediation Due: 2021-11-17
No detection rules found.
Nuclei
BillQuick Web Suite SQL Injection
nuclei·CVSS 9.8
CVE-2021-42258 [CRITICAL] BillQuick Web Suite SQL Injection
BillQuick Web Suite SQL Injection
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
Template:
id: CVE-2021-42258
info:
name: BillQuick Web Suite SQL Injection
author: dwisiswant0
severity: critical
description: BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
remediation: |
Apply the la
Metasploit
BillQuick Web Suite txtID SQLi
metasploit
BillQuick Web Suite txtID SQLi
BillQuick Web Suite txtID SQLi
This module exploits a SQL injection vulnerability in BillQUick Web Suite prior to version 22.0.9.1. The application is .net based, and the database is required to be MSSQL. Luckily the website gives error based SQLi messages, so it is trivial to pull data from the database. However the webapp uses an unknown password security algorithm. This vulnerability does not seem to support stacked queries. This module pulls the database name, banner, user, hostname, and the SecurityTable (user table).
Securelist
Cyberthreats to financial organizations in 2022
blogs_securelist·2021-11-23
Cyberthreats to financial organizations in 2022
Table of Contents
Analysis of forecasts for 2021
Key events in 2021
Forecasts for 2022
Authors
Dmitry Bestuzhev
Santiago Pontiroli
Fabio Assolini
Seongsu Park
## A look back on the year 2021 and what to expect in 2022
First of all, we are going to analyze the forecasts we made at the end of 2020 and see how accurate they were. Then we will go through the key events of 2021 relating to attacks on financial organizations. Finally, we will make some forecasts about financial attacks in 2022.
## Analysis of forecasts for 2021
The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime, including cybercrime. We might see certain economies crashing and local currencies plummeting, which would make Bitcoin thef
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Huntress
Hackers Are Exploiting a Vulnerability in Billing Software to Deploy Ransomware | Huntress
blogs_huntress·2021-10-22·CVSS 9.8
[CRITICAL] Hackers Are Exploiting a Vulnerability in Billing Software to Deploy Ransomware | Huntress
Hackers are constantly looking for low-hanging fruit and vulnerabilities that can be exploited - and they’re not always poking around in “big” mainstream applications like Office.
Sometimes, a productivity tool or even an add-on can be the door that hackers step through to gain access to an environment and carry out their next move. Huntress recently discovered one such vulnerability in a time and billing system called BillQuick.
## What Did We Find?
The Huntress ThreatOps team discovered a critical vulnerability in multiple versions of BillQuick Web Suite, a time and billing system from BQE Software. Hackers were able to successfully exploit CVE-2021-42258 - using it to gain initial access to a US engineering company - and deploy ransomware across the victim’s network. Considering BQE’
Huntress
Hackers Are Exploiting a Vulnerability in Billing Software to Deploy Ransomware | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] Hackers Are Exploiting a Vulnerability in Billing Software to Deploy Ransomware | Huntress
Hackers are constantly looking for low-hanging fruit and vulnerabilities that can be exploited - and they’re not always poking around in “big” mainstream applications like Office.
Sometimes, a productivity tool or even an add-on can be the door that hackers step through to gain access to an environment and carry out their next move. Huntress recently discovered one such vulnerability in a time and billing system called BillQuick.
## What Did We Find?
The Huntress ThreatOps team discovered a critical vulnerability in multiple versions of BillQuick Web Suite, a time and billing system from BQE Software. Hackers were able to successfully exploit CVE-2021-42258 - using it to gain initial access to a US engineering company - and deploy ransomware across the victim’s network. Considering BQE’
https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomwarehttps://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomwarehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42258
2021-10-22
Published
2021-11-03
Added to CISA KEV
Exploited in the wild