Critical mJobTime Vulnerability Exposes Construction Firms to Cyber Attacks
In recent developments, construction firms have become prime targets for cyber attackers exploiting vulnerabilities in industry-specific software. A significant concern is the discovery of a blind SQL injection flaw in mJobTime version 15.7.2, identified as CVE-2025-51683. This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands by sending specially crafted HTTP POST requests to the application’s `/Default.aspx/update_profile_Server` endpoint. ([cybersecuritynews.com](https://cybersecuritynews.com/attackers-exploiting-mjobtime-app-vulnerability/?utm_source=openai))
mJobTime, a widely used time-tracking application in the construction sector, is typically deployed on Microsoft Internet Information Services (IIS) with a Microsoft SQL Server (MSSQL) database backend. The identified flaw provides a direct pathway for attackers from a public-facing web form into the database engine, enabling them to exploit administrative features. ([cybersecuritynews.com](https://cybersecuritynews.com/attackers-exploiting-mjobtime-app-vulnerability/?utm_source=openai))
In documented incidents, malicious activities were first detected in IIS logs as repeated POST requests to the vulnerable endpoint. Subsequently, attackers activated the `xp_cmdshell` extended stored procedure within the MSSQL instance of mJobTime. This activation allows the execution of operating system commands with the service account’s permissions, potentially granting attackers extensive control over the Windows host. ([cybersecuritynews.com](https://cybersecuritynews.com/attackers-exploiting-mjobtime-app-vulnerability/?utm_source=openai))
Analysts from Huntress observed this pattern in three separate customer environments during 2025, all associated with mJobTime deployments in the construction industry. In one case, the threat actor utilized `xp_cmdshell` to execute commands such as `cmd /c net user` and initiated a ping to an external domain, indicating reconnaissance and callback testing from the compromised database server. ([huntress.com](https://www.huntress.com/blog/hacked-construction-apps-bringing-down-jobsite-security?utm_source=openai))
In other instances, attackers attempted to retrieve remote payloads using tools like `wget` and `curl`. However, these attempts were thwarted before further stages of intrusion could occur. ([cybersecuritynews.com](https://cybersecuritynews.com/attackers-exploiting-mjobtime-app-vulnerability/?utm_source=openai))
Technical Overview:
– Vulnerability Identifier: CVE-2025-51683
– Severity: Critical (CVSS Score: 9.8)
– Affected Version: mJobTime v15.7.2
– Attack Vector: Network
– Attack Complexity: Low
– Privileges Required: None
– User Interaction: None
– Impact: High on confidentiality, integrity, and availability
The exploitation process begins when an attacker sends a specially crafted POST request to the `update_profile_Server` function exposed by the mJobTime web front end. Due to the blind SQL injection vulnerability, the application processes attacker-controlled input without proper validation, allowing manipulation of database queries. Over multiple requests, the attacker can enable `xp_cmdshell` on the mJobTime instance and execute system-level commands. ([cybersecuritynews.com](https://cybersecuritynews.com/attackers-exploiting-mjobtime-app-vulnerability/?utm_source=openai))
Once `xp_cmdshell` is activated, the database server effectively becomes a remote shell accessible through what appears to be normal web traffic. This exposure not only jeopardizes sensitive construction project and payroll data but also provides a foothold for attackers to penetrate deeper into the network if not promptly addressed. ([cybersecuritynews.com](https://cybersecuritynews.com/attackers-exploiting-mjobtime-app-vulnerability/?utm_source=openai))
Mitigation Recommendations:
1. Apply Security Patches: Organizations using mJobTime v15.7.2 should contact the vendor for information on available patches or updates addressing CVE-2025-51683.
2. Implement Web Application Firewalls (WAF): Deploying a WAF can help detect and block malicious requests targeting known vulnerabilities.
3. Conduct Regular Security Audits: Routine assessments can identify and mitigate potential vulnerabilities before they are exploited.
4. Restrict Database Permissions: Limit the use of powerful stored procedures like `xp_cmdshell` to essential administrative tasks only.
5. Monitor Logs: Regularly review IIS and database logs for unusual activities, such as repeated POST requests to specific endpoints or unexpected command executions.
By proactively addressing these vulnerabilities and implementing robust security measures, construction firms can significantly reduce the risk of cyber attacks and protect their critical data and systems.
