CVE-2021-42258

Name of the Vulnerable Software and Affected Versions BQE BillQuick Web Suite versions 2018 through 2021 before 22.0.9.1

Description The issue allows SQL injection for unauthenticated remote code execution, which has been exploited in the wild in October 2021 for ransomware installation. SQL injection can use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp cmdshell(). The vulnerability is related to errors in neutralizing special elements in SQL queries. It is estimated that 400,000 users worldwide may be affected, as the products are widely used.

Recommendations For BQE BillQuick Web Suite versions 2018 through 2021 before 22.0.9.1, update to version 22.0.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the txtID parameter in the login form to minimize the risk of exploitation. Restrict access to the xp cmdshell() procedure to prevent remote code execution.