Construction firms are facing a new wave of cyber threats as attackers exploit vulnerabilities in job site business software. One recent target is the Mjobtime construction time-tracking application, which commonly uses Microsoft IIS with an MSSQL database. Security researchers have identified a critical flaw in Mjobtime version 15.7.2, tracked as CVE-2025-51683, that enables remote attackers to execute system commands by sending specially crafted POST requests to the application’s /Default.aspx/update_profile_Server endpoint.
This security gap allows attackers to directly interact with the database engine from a public-facing web interface, leveraging powerful administrative features. In real-world incidents investigated by Huntress analysts, this malicious activity first appeared in IIS logs as repeated POST requests to the vulnerable endpoint. These requests were subsequently followed by the activation of the xp_cmdshell extended stored procedure within the Mjobtime MSSQL instance, a common technique for gaining elevated system privileges.
Attackers Exploit Mjobtime App Vulnerability Using MSSQL and IIS POST Request
The exploitation chain begins when an attacker sends a malicious POST request to the Mjobtime web application’s update_profile_Server function. Due to a blind SQL injection vulnerability, the application fails to sufficiently validate user input before passing it to the MSSQL backend. This allows the attacker to manipulate database queries, effectively gaining control over the application’s database interactions.
Over multiple requests, attackers leverage this control to enable the xp_cmdshell feature in the Mjobtime MSSQL instance. Once enabled, xp_cmdshell grants the attacker the ability to execute operating system commands using the permissions of the service account running the database. This can provide deep control over the affected Windows host, turning the database server into a remote shell accessible through seemingly normal web traffic.
Huntress analysts observed this pattern in three separate construction sector customer environments during 2025. In one instance, threat actors used xp_cmdshell to execute commands like “cmd /c net user” and initiated a ping to an external oastify.com domain. These actions are indicative of reconnaissance and callback testing from the compromised database server. In two other cases, attackers attempted to download remote payloads using wget and curl but were intercepted before further stages of the intrusion could be executed.
The activation of xp_cmdshell poses a significant risk to construction firms. It not only exposes sensitive construction project details and payroll data but also provides a foothold for attackers to move laterally within the network. Prompt containment is crucial to prevent deeper network compromise.
Understanding the Attack Vector
The vulnerability hinges on the interaction between the Microsoft Internet Information Services (IIS) web server and the Microsoft SQL Server (MSSQL) database, a common configuration for many business applications, including Mjobtime. The /Default.aspx/update_profile_Server endpoint, intended for legitimate profile updates, is the entry point for attackers.
By abusing the blind SQL injection, attackers can systematically determine database structures and execute commands without directly seeing the results of each query. This requires careful crafting of requests to infer database responses. However, once xp_cmdshell is enabled on the MSSQL instance, the attacker gains a direct channel to run arbitrary operating system commands on the server hosting the database.
The implications of such an attack are far-reaching. Beyond data theft, attackers could disrupt operations, deploy ransomware, or use the compromised system as a pivot point for further attacks against other organizations within the construction supply chain. The use of tools like wget and curl indicates an intent to download and execute additional malware or tools, suggesting a more sophisticated attack objective than simple data exfiltration.
This emerging threat highlights the importance of robust cybersecurity practices for all industries, including the construction sector, which may not always be perceived as prime targets for advanced cyberattacks. Regular software patching, secure configuration of web servers and databases, and diligent log monitoring are essential steps in mitigating such risks.
Moving forward, organizations using Mjobtime or similar applications deployed on IIS/MSSQL should prioritize updating their software to the latest secure versions and implementing stricter input validation on all web application endpoints. Network security teams will likely focus on enhancing intrusion detection systems to identify unusual POST request patterns and the subsequent execution of system commands via database procedures.