A significant SQL injection vulnerability, identified as CVE-2025-1094, has emerged within the PostgreSQL interactive tool, raising alarms among security researchers. This flaw was exploited in conjunction with a zero-day vulnerability that facilitated a breach into the US Treasury in December 2024. Stephen Fewer, a principal security researcher at Rapid7, disclosed the details of this high-severity bug on Thursday, emphasizing its critical role in a broader exploit chain that also involved the BeyondTrust zero-day (CVE-2024-12356).
Details of the Vulnerability
Fewer noted that the exploitation of CVE-2025-1094 was essential for the successful execution of the BeyondTrust attack, stating, “In every scenario we tested, a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution.” While BeyondTrust addressed CVE-2024-12356 with a patch in December 2024, this fix did not rectify the underlying issue of CVE-2025-1094, which remained a zero-day until Rapid7’s discovery and subsequent reporting to PostgreSQL.
Caitlin Condon, Rapid7’s director of vulnerability intelligence, confirmed that CVE-2025-1094 impacts all versions of the PostgreSQL interactive tool. However, she reassured that the complexity of the exploit makes it less likely to be targeted outside of the already vulnerable BeyondTrust versions. Condon remarked on the sophistication of the attackers involved in the December breach, noting, “It’s clear that the adversaries who perpetrated the December attack really knew the target technology.” This incident exemplifies a concerning trend in zero-day exploits that Rapid7 has been monitoring since 2023.
Exploit Mechanism
The vulnerability within the PostgreSQL interactive tool (psql) can lead to arbitrary code execution (ACE). Interestingly, there exists a method to exploit this vulnerability independently of CVE-2024-12356. Rapid7 indicated that while BeyondTrust’s patch successfully prevents the two vulnerabilities from being exploited in tandem, it does not address the root cause of the psql bug.
Fewer explained that the vulnerability arises from a flawed assumption regarding SQL injection attacks, particularly the belief that such attacks cannot occur when malicious input is properly escaped using PostgreSQL’s string escaping routines. However, he discovered that under certain conditions, malicious input could still be executed by the psql tool as part of a SQL statement. He elaborated, “Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection.”
Furthermore, the functionality of psql can be extended through meta-commands, allowing an attacker to achieve ACE by utilizing the exclamation mark meta-command to execute shell commands on the operating system. This vulnerability also permits the execution of arbitrary SQL statements.
Recommendations and Acknowledgments
A comprehensive technical analysis of both vulnerabilities is available on AttackerKB, which outlines critical indicators of compromise and recommended remediation steps. To safeguard against these vulnerabilities, users are advised to update to the latest versions released on February 13.
Condon expressed appreciation for the PostgreSQL team’s collaboration and communication throughout the disclosure process, stating, “This is one of the most straightforward disclosure timelines we’ve been able to put in a coordinated vulnerability disclosure blog in a while, which is extra nice and unfortunately not the norm in recent years.” Her gratitude reflects the importance of effective communication in addressing security vulnerabilities.
