Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/Threats/Attackers Targeting Construction Firms Exploiting Mjobtime App Vulnerability Using MSSQL and IIS POST Request
Threats

Attackers Targeting Construction Firms Exploiting Mjobtime App Vulnerability Using MSSQL and IIS POST Request

Exploiting vulnerabilities in business software, attackers have intensified their focus on construction firms. This software often operates directly on job sites. One of the newest targets is the...

Emy Elsamnoudy
Emy Elsamnoudy
January 26, 2026 3 Min Read
39 0

Exploiting vulnerabilities in business software, attackers have intensified their focus on construction firms. This software often operates directly on job sites.

One of the newest targets is the Mjobtime construction time-tracking application, which is often deployed on Microsoft IIS with an MSSQL database in the background.

A blind SQL injection flaw in Mjobtime version 15.7.2, tracked as CVE-2025-51683, allows remote attackers to send crafted HTTP POST requests to the app’s /Default.aspx/update_profile_Server endpoint and force the database to run system commands.

This attack path gives intruders a direct line from a public-facing web form into the database engine, where they can abuse powerful features intended for administrators.

In real incidents, the malicious traffic first shows up in IIS logs as repeated POST requests to the vulnerable endpoint, followed by the activation of the xp_cmdshell extended stored procedure in the Mjobtime MSSQL instance.

Once enabled, xp_cmdshell lets the attacker run operating system commands with the service account’s permissions, often giving them deep control over the Windows host.

Huntress analysts noted this pattern in three separate customer environments during 2025, all tied to Mjobtime deployments in the construction sector.

In the first case, they recorded the threat actor using xp_cmdshell to run commands such as “cmd /c net user” and a ping to an external oastify.com domain, clear signs of discovery and callback testing from the compromised database server.

Process tree (Source - Huntress)
Process tree (Source – Huntress)

In the other two cases, the attackers tried to pull remote payloads using wget and curl, but were stopped before they could follow through with further stages of the intrusion. The process tree associated with these commands on one affected host.

From IIS POST Request to MSSQL Command Execution

The infection chain starts when an attacker sends a specially crafted POST request to the update_profile_Server function exposed by the Mjobtime web front end.

Because of the blind SQL injection bug, the web application passes attacker-controlled input to the MSSQL backend without proper checks, letting the intruder manipulate queries that the application runs on the database.

AI-generated search engine documentation of the vulnerability and risk (Source - Huntress)
AI-generated search engine documentation of the vulnerability and risk (Source – Huntress)

Over several requests, the attacker uses this control to enable xp_cmdshell on the Mjobtime instance and then executes system-level commands.

Excerpt of Dario’s public write-up, which provides tell-tale indicators of what to look for when attempts are made to exploit the vulnerability (Source - Huntress)
Excerpt of Dario’s public write-up, which provides tell-tale indicators of what to look for when attempts are made to exploit the vulnerability (Source – Huntress)

It shows proof-of-concept payloads from the InfoGuard Labs research that mirror the behavior seen in the Huntress cases.

Once xp_cmdshell is live, the database server effectively becomes a remote shell behind the firewall, reachable through what looks like normal web traffic.

This not only exposes sensitive construction project and payroll data, but also provides a foothold an attacker can use to move deeper into the network if not quickly contained.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Microsoft Investigating Boot Failure Issues With Windows 11, version 25H2 Following January Update

Next Post

Threat Actors Fake BSODs and Trusted Build Tools to Bypass Defenses and Deploy DCRat

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us