We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

A PostgreSQL zero-day was also exploited in US Treasury hack (CVE-2025-1094)

February 17, 2025

The recent breach of US Treasury workstations by suspected state-sponsored Chinese hackers has revealed a sophisticated attack utilizing two zero-day vulnerabilities, as detailed by researchers from Rapid7. Initially, the breach was attributed to CVE-2024-12356, an unauthenticated command injection vulnerability in BeyondTrust’s Remote Support SaaS. However, further analysis indicated that successful exploitation of this vulnerability necessitated the prior exploitation of CVE-2025-1094.

About CVE-2025-1094

CVE-2025-1094 arises from the PostgreSQL interactive tool, psql, and its handling of invalid byte sequences, specifically those stemming from invalid UTF-8 characters. This vulnerability can be exploited to perform SQL injection attacks. As explained by Stephen Fewer, Principal Security Researcher at Rapid7, “An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool’s ability to run meta-commands.” The meta-command, denoted by an exclamation mark, allows execution of operating system shell commands or arbitrary SQL statements controlled by the attacker.

Fewer’s research also uncovered that prior to the release of a patch for CVE-2024-12356 in mid-December 2024, CVE-2025-1094 was exploitable on vulnerable Remote Support targets without needing to leverage CVE-2024-12356.

Fixes are available

In response to these vulnerabilities, the PostgreSQL team has issued fixes for CVE-2025-1094 as of February 13, 2025. Fortunately, the patches released by BeyondTrust in December also mitigated the risks associated with the PostgreSQL zero-day, protecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions.

Caitlin Condon, vulnerability research director at Rapid7, noted that CVE-2025-1094 is complex to exploit and is not expected to be utilized in PostgreSQL implementations outside of the known vulnerable versions of BeyondTrust RS and PRA. However, she emphasized the expertise of the attackers, stating, “it’s clear that the adversaries who perpetrated the December attack *really* knew the target technology.”

PostgreSQL users are strongly advised to upgrade to one of the fixed versions: 17.3, 16.7, 15.11, 14.16, or 13.19. Additionally, BeyondTrust users who have not yet implemented the December 2024 fix should do so without delay. Rapid7 has provided technical details regarding both zero-days and has shared indicators of compromise, such as specific error messages in logs, that may indicate exploitation of CVE-2025-1094 on BeyondTrust Remote Support instances.

Tech Optimizer
A PostgreSQL zero-day was also exploited in US Treasury hack (CVE-2025-1094)