CVE-2021-42258

CRITICAL KEV RANSOMWARE NUCLEI

BQE Billquick Web Suite < 22.0.9.1 - SQL Injection

Title source: rule

Description

BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

Exploits (1)

metasploit WORKING POC

by h00die · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/billquick_txtid_sqli.rb

View Code ZIP pw:eip

Nuclei Templates (1)

BillQuick Web Suite SQL Injection

CRITICALby dwisiswant0

References (2)

[Exploit, Third Party Advisory] https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42258

Scores

CVSS v3 9.8

EPSS 0.9410

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-10-22

InTheWild.io 2021-10-22

ENISA EUVD EUVD-2021-29234

Ransomware Use Confirmed

CWE

CWE-89

Status published

Products (1)

bqe/billquick_web_suite 19 - 22.0.9.1

Published Oct 22, 2021

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026