9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Cybersecurity researchers on Friday disclosed a now-patched critical vulnerability in multiple versions of a time and billing system called BillQuick thatβs being actively exploited by threat actors to deploy ransomware on vulnerable systems.
CVE-2021-42258, as the flaw is being tracked as, concerns an SQL-based injection attack that allows for remote code execution and was successfully leveraged to gain initial access to an unnamed U.S. engineering company and mount a ransomware attack, American cybersecurity firm Huntress Labs said.
While the issue has been addressed by BQE Software in BillQuick version 22.0.9.1 released on October 7, eight other undisclosed security issues that were identified as part of the investigation are yet to be patched. According to its website, BQE Softwareβs products are used by 400,000 users worldwide.
βHackers can use this to access customersβ BillQuick data and run malicious commands on their on-premises Windows servers,β Huntress Labs threat researcher Caleb Stewart said in a write-up. βThis incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.β
Essentially, the vulnerability stems from how BillQuick Web Suite 2020 constructs SQL database queries, enabling attackers to inject a specially-crafted SQL via the applicationβs login form that could be used to remotely spawn a command shell on the underlying Windows operating system and achieve code execution, which, in turn, is made possible by the fact that the software runs as the βSystem Administratorβ user.
βHackers are constantly looking for low-hanging fruit and vulnerabilities that can be exploitedβand theyβre not always poking around in βbigβ mainstream applications like Office,β Stewart said. βSometimes, a productivity tool or even an add-on can be the door that hackers step through to gain access to an environment and carry out their next move.β
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P