Rapid7’s vulnerability research team has reported that a security flaw in PostgreSQL was exploited as a zero-day vulnerability to infiltrate the network of BeyondTrust, a company specializing in privileged access management, in December. This breach involved the exploitation of two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, alongside a stolen API key, leading to unauthorized access to 17 Remote Support SaaS instances.
In early January, the U.S. Treasury Department disclosed that its network had also been compromised, with attackers leveraging the stolen Remote Support SaaS API key to access its BeyondTrust instance. This incident has since been linked to Silk Typhoon, a cyber-espionage group believed to be backed by the Chinese state. Silk Typhoon is notorious for its reconnaissance and data theft operations, having previously breached an estimated 68,500 servers in early 2021 using vulnerabilities in Microsoft Exchange Server.
The attackers specifically targeted critical offices within the Treasury, including the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC), which are responsible for assessing foreign investments and administering trade sanctions, respectively. They also gained access to the Treasury’s Office of Financial Research systems, although the full impact of this breach is still under evaluation. Reports suggest that Silk Typhoon utilized their access to gather unclassified information related to potential sanctions and other sensitive documents.
On December 19, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-12356 vulnerability to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies secure their networks against ongoing attacks within a week. Subsequently, on January 13, CISA ordered federal agencies to patch their systems against CVE-2024-12686.
PostgreSQL zero-day linked to BeyondTrust breach
As part of their analysis of CVE-2024-12356, Rapid7 uncovered another zero-day vulnerability in PostgreSQL, designated CVE-2025-1094. This vulnerability, reported on January 27 and patched shortly thereafter, allows for SQL injection attacks when the PostgreSQL interactive tool processes untrusted input, particularly due to its mishandling of certain invalid byte sequences from invalid UTF-8 characters.
The PostgreSQL security team elaborates that “improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns.” Furthermore, SQL injection can occur if the application uses the function result to construct input for psql, the PostgreSQL interactive terminal. The command line utility programs are also vulnerable under specific encoding conditions.
Rapid7’s findings indicate that successfully exploiting CVE-2024-12356 to achieve remote code execution necessitates the use of CVE-2025-1094, implying that the exploit linked to the BeyondTrust RS CVE-2024-12356 depended on the exploitation of PostgreSQL CVE-2025-1094. Additionally, while BeyondTrust classified CVE-2024-12356 as a command injection vulnerability, Rapid7 suggests it is more accurately described as an argument injection vulnerability.
Moreover, Rapid7 has identified a method to exploit CVE-2025-1094 for remote code execution in vulnerable BeyondTrust Remote Support systems, independent of the CVE-2024-12356 argument injection vulnerability. Notably, they have observed that BeyondTrust’s patch for CVE-2024-12356 does not resolve the root cause of CVE-2025-1094; however, it effectively prevents the exploitation of both vulnerabilities. Rapid7 stated, “We have also learnt that it is possible to exploit CVE-2025-1094 in BeyondTrust Remote Support without the need to leverage CVE-2024-12356. However, due to some additional input sanitation that the patch for CVE-2024-12356 employs, exploitation will still fail.”
