← Retour aux CVEs
CVE-2021-42258
CRITICALCISA KEV9.8
Description
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie10/22/2021
Derniere modification11/10/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurBQE
ProduitBillQuick Web Suite
Nom vulnerabiliteBQE BillQuick Web Suite SQL Injection Vulnerability
Date ajout KEV2021-11-03
Date limite remediation2021-11-17
Utilise dans ransomwareKnown
Produits affectes
bqe:billquick_web_suite
Faiblesses (CWE)
CWE-89CWE-89
References
https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware(cve@mitre.org)
https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42258(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.