CVE-2021-42258

high-risk
Published 2021-10-22

BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

Do I need to act?

!
94.1% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Bqe

References (3)

Exploit https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerabi...
Exploit https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerabi...
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...
64
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 27/34 · High
Exposure 5/34 · Minimal