CVE-2021-42258

What is BQE BillQuick Web Suite?

BQE BillQuick Web Suite is a professional services project management and billing software platform used by architectural, engineering, and consulting firms to manage project time tracking, invoicing, and financial reporting. It is commonly deployed as an internet-accessible web application to support remote time entry by project staff. Because BillQuick connects to SQL databases containing client billing data, project records, and often Active Directory credentials for integrated authentication, SQL injection vulnerabilities carry significant data exposure risk.

Overview

CVE-2021-42258 is an unauthenticated SQL injection vulnerability (CWE-89) in the BQE BillQuick Web Suite login page. The username parameter on the login form is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated attacker to inject arbitrary SQL commands. Huntress Labs discovered this vulnerability while investigating an active ransomware attack against a US engineering firm — the attacker exploited the SQL injection to extract credentials, pivot into the network, and deploy ransomware, all starting from the BillQuick login page.

Affected Versions

Technical Details

The login form's username field is vulnerable to SQL injection — the value is directly concatenated into a SQL query without parameterization:

• Injection point: The username parameter in the BillQuick Web Suite login POST request
• Authentication required: None — the injection is in the pre-authentication login handler
• Database access: With blind or error-based SQL injection, the attacker can extract the entire database including user credentials, project data, and client information
• Credential theft: BillQuick stores user credentials in its database; extraction enables direct application login bypassing the vulnerable login form
• AD credential pivot: Some BillQuick configurations integrate with Active Directory; extracted credentials or harvested AD tokens can enable lateral movement
• Ransomware chain: Huntress documented the full attack chain: SQLi → credential extraction → network enumeration → AD compromise → ransomware deployment

Discovery

Discovered by Huntress Labs during incident response for a ransomware attack against a US engineering firm in October 2021. Huntress published a detailed threat advisory documenting the attack chain, which was the first public disclosure of this vulnerability. The discovery during an active attack means this was exploited as a zero-day before any public advisory existed.

Exploitation Context

A ransomware actor specifically targeted the BillQuick Web Suite application to gain initial access to an engineering firm's network. The SQL injection in the login page provided unauthenticated database access, which was leveraged to extract credentials and then move laterally through Active Directory to deploy ransomware. This attack demonstrates how specialized business applications with internet exposure can be just as dangerous as more widely-known attack vectors.

Remediation

1. Apply the BQE Software patch for CVE-2021-42258 — contact BQE Software or check their update portal for the latest BillQuick Web Suite version
2. If immediate patching is not possible, take BillQuick Web Suite offline or restrict it to VPN-only access
3. BillQuick Web Suite should not be directly internet-accessible — require VPN or direct network connection for access
4. Review BillQuick database logs for SQL injection signatures (unusual WHERE clauses, UNION statements, error messages)
5. Rotate all BillQuick user credentials and any AD credentials that BillQuick uses for integration
6. If compromise is suspected, engage incident response — the Huntress advisory documents the full attack chain to guide investigation