Cyber Resilience

CVE-2021-42258

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 22 October 2021

Published
22 October 2021
Modified
10 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9410 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-42258 is a critical-severity SQL Injection (CWE-89) vulnerability in Bqe Billquick Web Suite. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

BQE BillQuick Web Suite versions 2018 through 2021 before 22.0.9.1 contain a SQL injection vulnerability that permits unauthenticated remote code execution. The flaw is tracked as CWE-89 and carries a CVSS 3.1 score of 9.8. Exploitation can occur through parameters such as txtID, allowing an attacker to invoke xp_cmdshell and run arbitrary commands under the MSSQLSERVER$ account.

Unauthenticated remote attackers can leverage the injection to achieve code execution on the affected server. In practice this has enabled deployment of ransomware and other post-exploitation activity without any user interaction or authentication.

Public advisories from Huntress and CISA note that the issue was exploited in the wild in October 2021 and recommend upgrading to version 22.0.9.1 or later. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation against internet-facing instances.

EU & UK References

Vulnerability details

BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful…

more

exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bqe
billquick web suite
19 — 22.0.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs (e.g., txtID) to block SQL injection payloads before they reach the database.

prevent

Enforces boundary protection and deny-by-default rules that would have blocked unauthenticated external access to the vulnerable web application.

prevent

Mandates timely application of the vendor patch (v22.0.9.1) that eliminates the SQL injection flaw exploited for remote code execution.

References