About BQE And BillQuick

BQE, established in 1995 and catering to over 400k users worldwide, is an award-winning world leader in professional project management, billing, time tracking, and accounting software. BillQuick is BQE’s desktop solution product for managing finances and projects, designed specifically for Intuit QuickBooks, and can also be integrated with accounting systems like Sage. BillQuick is offered in both on-premise and cloud versions.

Cybercriminals Are Exploiting BillQuick Software Vulnerability

The software vulnerability (ID code: CVE-2021-42258) affecting BQE’s BillQuick Web Suite software product was classified as a critical risk vulnerability. It has also been confirmed as being easy to exploit and has since been actively exploited in the wild by cybercriminals. Caleb Stewart of Huntress noted that hackers are, “using it to gain initial access to a US engineering company-and deploy ransomware across the victim’s network.” Stewart also expressed his concern that this scenario is rather dangerous for BQE’s, “self-proclaimed user base of 400,000 users worldwide”. The team at Huntress was able to recreate the attack scenario and confirmed that hackers can indeed “access customers’ BillQuick data and run malicious commands on their on-premises Windows servers”. According to Huntress, “this incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed”.

Technical Details

The critical vulnerability leads to SQL Injection, allowing a remote attacker to execute arbitrary SQL queries in a database. The vulnerability exists due to insufficient sanitization of user-supplied data, thus a remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database. As a result, the successful exploitation of this vulnerability may allow a remote attacker to read, delete and modify data in a database. Finally, a remote attacker can gain complete control over the affected application.

Vulnerable Versions

The following software versions are vulnerable and should not be used; BillQuick Web Suite: 2018 through 2021 before 22.0.9.1

Important User Info

It is important for BillQuick users to immediately update their existing software to version 22.0.9.1 or later (22.0.9.3).

Hackers Have Exploited a Vulnerability in BQE BillQuick Web Suite - 54Hackers Have Exploited a Vulnerability in BQE BillQuick Web Suite - 82Hackers Have Exploited a Vulnerability in BQE BillQuick Web Suite - 80Hackers Have Exploited a Vulnerability in BQE BillQuick Web Suite - 54