Caleb Stewart

**Name of the Vulnerable Software and Affected Versions** BQE BillQuick Web Suite versions 2018 through 2021 before 22.0.9.1 **Description** The issue allows SQL injection for unauthenticated remote code execution, which has been exploited in the wild in October 2021 for ransomware installation. SQL injection can use the `txtID` (aka `username`) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via `xp cmdshell()`. The vulnerability is related to errors in neutralizing special elements in SQL queries. It is estimated that 400,000 users worldwide may be affected, as the products are widely used. **Recommendations** For BQE BillQuick Web Suite versions 2018 through 2021 before 22.0.9.1, update to version 22.0.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `txtID` parameter in the login form to minimize the risk of exploitation. Restrict access to the `xp cmdshell()` procedure to prevent remote code execution.