BillQuick has said a short-term patch will be released addressing some of the vulnerabilities identified this weekend by cybersecurity firm Huntress.
In a blog post on Friday, Huntress security researcher Caleb Stewart said the company’s ThreatOps team “discovered a critical vulnerability in multiple versions of BillQuick Web Suite, a time and billing system from BQE Software.”
“Hackers were able to successfully exploit CVE-2021-42258 — using it to gain initial access to a US engineering company — and deploy ransomware across the victim’s network. Considering BQE’s self-proclaimed user base of 400,000 users worldwide, a malicious campaign targeting their customer base is concerning,” Stewart said.
“This incident highlights a repeating pattern plaguing SMB software: well-established vendors are doing very little to proactively secure their applications and subject their unwitting customers to significant liability when sensitive data is inevitably leaked and/or ransomed.”
Huntress also found eight other vulnerabilities: CVE-2021-42344, CVE-2021-42345, CVE-2021-42346, CVE-2021-42571, CVE-2021-42572, CVE-2021-42573, CVE-2021-42741, CVE-2021-42742.
In a statement to ZDNet, BQE Software said their engineering team is aware of the issues with BillQuick Web Suite, which customers use to host BillQuick, and said that vulnerability has been patched.
“Huntress also identified additional vulnerabilities, which we have been actively investigating. We expect a short-term patch to the BQE Web