Rapid7 researchers recently discovered a zero-day vulnerability in PostgreSQL, identified as CVE-2025-1094, that has been actively exploited in a series of attacks, including those targeting BeyondTrust Remote Support systems. The flaw impacts the PostgreSQL interactive terminal (psql) and allows attackers to exploit SQL injection vulnerabilities through malformed UTF-8 characters in SQL statements. This vulnerability has been connected to successful remote code execution (RCE) attacks, one of which compromised machines at the U.S. Treasury Department.
The vulnerability serves as a critical pivot point for attackers, enabling exploitation of the BeyondTrust product, despite patches for related flaws.
The PostgreSQL flaw occurs in how psql handles invalid byte sequences, which can prematurely terminate SQL commands. This behavior allows attackers to inject additional SQL statements or execute shell commands, leading to a potential system compromise. Researchers demonstrated this exploit in controlled testing, using crafted inputs to trigger shell execution on the targeted system. Rapid7 also noted that the flaw, while patched by PostgreSQL in its latest updates, has been actively exploited in the wild, underlining its severity.
Although BeyondTrust had already released fixes for its vulnerabilities, including CVE-2024-12356 and CVE-2024-12686, this PostgreSQL flaw remains a significant concern. Rapid7 has connected the two vulnerabilities, stating that the BeyondTrust exploit relied heavily on the PostgreSQL flaw to gain unauthorized access to systems. Furthermore, the researchers have released a Metasploit module to help organizations detect vulnerable systems and deliver payloads that exploit this issue, increasing the risk for unpatched systems.
The breach at the U.S. Treasury Department is particularly alarming, as the Chinese government-backed hackers used this vulnerability to gain access to unclassified documents and workstations. The Treasury learned of the breach on December 8, 2024, when BeyondTrust alerted them about the exposed key used in their cloud-based service. BeyondTrust disclosed its compromise publicly shortly after, leading to the discovery of the PostgreSQL vulnerability, which has since been patched. This incident highlights the critical need for timely patching and continuous vigilance against emerging vulnerabilities.
