By exploiting flaws in the business software that operates on their job sites, attackers are increasingly focusing on construction companies. The Mjobtime construction time-tracking application, which is frequently installed on Microsoft IIS with an MSSQL database running in the background, is one of the most recent targets. Mjobtime version 15.7.2 has a blind SQL injection vulnerability known as CVE-2025-51683 that enables remote attackers to send crafted HTTP POST requests to the app's /Default.aspx/update_profile_Server endpoint and compel the database to execute system commands.

Learn more about exploitation Windows 11 Solutions for data security Protection against phishing Cybersecurity Security of computers Cloud computing VPN service servers with password managers This attack path gives intruders a direct line from a public-facing web form into the database engine, where they can abuse powerful features intended for administrators. In real incidents, the malicious traffic first shows up in IIS logs as repeated POST requests to the vulnerable endpoint, followed by the activation of the xp_cmdshell extended stored procedure in the Mjobtime MSSQL instance. Once enabled, xp_cmdshell lets the attacker run operating system commands with the service account’s permissions, often giving them deep control over the Windows host.

In 2025, Huntress analysts observed this pattern in three distinct customer environments, all of which were connected to Mjobtime deployments in the construction industry. In the first instance, they captured the threat actor using xp_cmdshell to execute commands like "cmd /c net user" and a ping to an external oastify.com domain, which were obvious indications of discovery and callback testing from the compromised database server. Tree of processes (Source: Huntress) In the other two instances, the attackers attempted to use curl and wget to retrieve remote payloads, but they were thwarted before they could proceed with additional phases of the intrusion.

The affected host's process tree linked to these commands.

MSSQL Command Execution from IIS POST Request When an attacker sends a specially constructed POST request to the update_profile_Server function that the Mjobtime web front end exposes, the infection chain begins. Due to the blind SQL injection bug, the web application allows the attacker to manipulate database queries by passing attacker-controlled input to the MSSQL backend without the necessary checks. AI-generated search engine documentation of the risk and vulnerability (Source: Huntress) The attacker uses this control over multiple requests to activate xp_cmdshell on the Mjobtime instance, after which system-level commands are executed.

An excerpt from Dario's public report, which offers clear clues about what to look for when an attempt is made to exploit the vulnerability (Source: Huntress) It displays payloads from InfoGuard Labs' proof-of-concept research that exhibit similar behavior to the Huntress cases. The database server essentially turns into a remote shell behind the firewall once xp_cmdshell goes live, accessible through what appears to be regular web traffic. In addition to exposing private payroll and construction project information, this gives an attacker a foothold that, if left unchecked, could allow them to penetrate further into the network.

Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.