Cyberattackers Exploit SQL Injection Flaw in Mjobtime Construction Software
Attackers are targeting construction firms by exploiting a critical vulnerability in Mjobtime, a time-tracking application widely used in the industry. The flaw, tracked as CVE-2025-51683, affects Mjobtime version 15.7.2 and enables blind SQL injection via the /Default.aspx/update_profile_Server endpoint.
By sending crafted HTTP POST requests, threat actors can manipulate the application’s MSSQL database to execute system commands. The attack chain leverages the xp_cmdshell stored procedure, granting attackers remote command execution with the permissions of the service account often providing deep access to the Windows host.
Security firm Huntress observed this pattern in three separate incidents in 2025, all tied to Mjobtime deployments in the construction sector. In one case, attackers used xp_cmdshell to run reconnaissance commands (net user) and test connectivity via oastify.com. In two other instances, they attempted to fetch remote payloads using wget and curl, though further intrusion was prevented.
The vulnerability stems from improper input validation, allowing attackers to bypass security controls and turn the database into a remote shell behind the firewall. This not only exposes sensitive project and payroll data but also creates a foothold for lateral movement within the network. Indicators of compromise include repeated POST requests to the vulnerable endpoint and xp_cmdshell activation in MSSQL logs.
Source: https://cybersecuritynews.com/attackers-exploiting-mjobtime-app-vulnerability/
mJobTime Corporation cybersecurity rating report: https://www.rankiteo.com/company/mjobtime
"id": "MJO1769418142",
"linkid": "mjobtime",
"type": "Vulnerability",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Construction firms',
'industry': 'Construction',
'name': 'Mjobtime',
'type': 'Software Vendor'}],
'attack_vector': 'HTTP POST requests to /Default.aspx/update_profile_Server',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Project and payroll data'},
'date_detected': '2025',
'description': 'Attackers are targeting construction firms by exploiting a '
'critical vulnerability in Mjobtime, a time-tracking '
'application widely used in the industry. The flaw, tracked as '
'CVE-2025-51683, affects Mjobtime version 15.7.2 and enables '
'blind SQL injection via the '
'/Default.aspx/update_profile_Server endpoint. By sending '
'crafted HTTP POST requests, threat actors can manipulate the '
'application’s MSSQL database to execute system commands, '
'leveraging the xp_cmdshell stored procedure to gain remote '
'command execution with the permissions of the service '
'account.',
'impact': {'data_compromised': 'Sensitive project and payroll data',
'operational_impact': 'Lateral movement within the network, remote '
'command execution',
'systems_affected': 'Mjobtime version 15.7.2, MSSQL database, '
'Windows host'},
'post_incident_analysis': {'root_causes': 'Improper input validation in '
'Mjobtime version 15.7.2'},
'references': [{'source': 'Huntress'}],
'response': {'third_party_assistance': 'Huntress'},
'title': 'Cyberattackers Exploit SQL Injection Flaw in Mjobtime Construction '
'Software',
'type': 'SQL Injection',
'vulnerability_exploited': 'CVE-2025-51683 (Blind SQL Injection)'}