vulnerability
BQE WebSuite: CVE-2021-42258: BillQuick WebSuite SQL RCE
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Oct 22, 2021 | Mar 8, 2022 | May 3, 2022 |
Severity
9
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Oct 22, 2021
Added
Mar 8, 2022
Modified
May 3, 2022
Description
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
This check requires the Metasploit Remote Check Service to be enabled on Scan Engines. Please see the Metasploit Remote Check Service documentation for instructions on how to enable this functionality.
Solution
bqe-websuite-upgrade-latest
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.