BillQuick has said a short-term patch will be released addressing some of the vulnerabilities identified this weekend by cybersecurity firm Huntress.
In a blog post[1] on Friday, Huntress security researcher Caleb Stewart said the company's ThreatOps team "discovered a critical vulnerability in multiple versions of BillQuick Web Suite, a time and billing system from BQE Software."
"Hackers were able to successfully exploit CVE-2021-42258 -- using it to gain initial access to a US engineering company -- and deploy ransomware across the victim's network. Considering BQE's self-proclaimed user base of 400,000 users worldwide, a malicious campaign targeting their customer base is concerning," Stewart said.
"This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed."
Huntress also found eight other vulnerabilities: CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, CVE-2021-42742.
In a statement to ZDNet, BQE Software said their engineering team is aware of the issues with BillQuick Web Suite, which customers use to host BillQuick, and said that vulnerability has been patched.
"Huntress also identified additional vulnerabilities, which we have been actively investigating. We expect a short-term patch to the BQE Web Suite vulnerabilities to be in place by end of day on 10/26/2021 along with a firm timeline on when a full fix will be implemented," the spokesperson added.
"The issue with BQE Web Suite affects fewer than 10% of our customers; we will be proactively communicating to each of them the existence of these issues, when they can expect the issues to be resolved, and what steps they can take in the interim to minimize their exposure."
Huntress explained how they were able to recreate the SQL injection-based attack, which they