Attackers are more and more turning their consideration to building companies by abusing weaknesses in enterprise software program that runs on their job websites.
One of many latest targets is the Mjobtime building time-tracking utility, which is commonly deployed on Microsoft IIS with an MSSQL database within the background.
A blind SQL injection flaw in Mjobtime model 15.7.2, tracked as CVE-2025-51683, permits distant attackers to ship crafted HTTP POST requests to the app’s /Default.aspx/update_profile_Server endpoint and drive the database to run system instructions.
This assault path provides intruders a direct line from a public-facing net type into the database engine, the place they will abuse highly effective options meant for directors.
In actual incidents, the malicious site visitors first reveals up in IIS logs as repeated POST requests to the weak endpoint, adopted by the activation of the xp_cmdshell prolonged saved process within the Mjobtime MSSQL occasion.
As soon as enabled, xp_cmdshell lets the attacker run working system instructions with the service account’s permissions, usually giving them deep management over the Home windows host.
Huntress analysts famous this sample in three separate buyer environments throughout 2025, all tied to Mjobtime deployments within the building sector.
Within the first case, they recorded the risk actor utilizing xp_cmdshell to run instructions equivalent to “cmd /c internet consumer” and a ping to an exterior oastify.com area, clear indicators of discovery and callback testing from the compromised database server.
Course of tree (Supply – Huntress)
Within the different two instances, the attackers tried to tug distant payloads utilizing wget and curl, however had been stopped earlier than they might comply with by way of with additional phases of the intrusion. The method tree related to these instructions on one affected host.
From IIS POST Request to MSSQL Command Execution
The an infection chain begins when an attacker sends a specifically crafted POST request to the update_profile_Server perform uncovered by the Mjobtime net entrance finish.
Due to the blind SQL injection bug, the net utility passes attacker-controlled enter to the MSSQL backend with out correct checks, letting the intruder manipulate queries that the appliance runs on the database.
AI-generated search engine documentation of the vulnerability and threat (Supply – Huntress)
Over a number of requests, the attacker makes use of this management to allow xp_cmdshell on the Mjobtime occasion after which executes system-level instructions.
Excerpt of Dario’s public write-up, which supplies tell-tale indicators of what to search for when makes an attempt are made to use the vulnerability (Supply – Huntress)
It reveals proof-of-concept payloads from the InfoGuard Labs analysis that mirror the habits seen within the Huntress instances.
As soon as xp_cmdshell is stay, the database server successfully turns into a distant shell behind the firewall, reachable by way of what seems to be like regular net site visitors.
This not solely exposes delicate building mission and payroll information, but in addition supplies a foothold an attacker can use to maneuver deeper into the community if not shortly contained.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
