The recent cyber breach involving suspected state-sponsored Chinese hackers has unveiled a sophisticated attack on the workstations of several U.S. Treasury employees. This incident, which occurred in December 2024, was executed using a dual vulnerability strategy, as detailed by researchers from Rapid7. Initially, the focus was on a single vulnerability, CVE-2024-12356, an unauthenticated command injection flaw within the Treasury’s BeyondTrust Remote Support SaaS instances. However, further investigation revealed that the exploitation of this vulnerability was contingent upon the successful manipulation of a second vulnerability, CVE-2025-1094, to achieve remote code execution.
PostgreSQL zero-day exploited in attack
CVE-2025-1094 arises from the way the PostgreSQL interactive tool, known as psql, processes certain invalid byte sequences associated with invalid UTF-8 characters. This flaw can be exploited to execute SQL injection attacks. Stephen Fewer, Principal Security Researcher at Rapid7, elaborated that an attacker capable of generating a SQL injection through CVE-2025-1094 could execute arbitrary code by utilizing the interactive tool’s meta-command functionality.
The meta-command, denoted by an exclamation mark, permits the execution of operating system shell commands. Alternatively, attackers can run SQL statements under their control, further amplifying the risk.
In response to these vulnerabilities, the PostgreSQL team promptly released a fix for CVE-2025-1094 on February 13, 2025. Additionally, the patches issued by BeyondTrust in December also mitigate the potential for attackers to exploit the PostgreSQL zero-day against BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions. Caitlin Condon, the vulnerability research director at Rapid7, emphasized that while CVE-2025-1094 is not trivial to exploit, it is unlikely to be targeted in PostgreSQL implementations beyond the known vulnerable versions of BeyondTrust RS and PRA.
The attackers behind the December breach demonstrated a notable familiarity with the technology in question, indicating a well-planned operation. PostgreSQL users are strongly advised to upgrade to the fixed versions: 17.3, 16.7, 15.11, 14.16, or 13.19. Furthermore, BeyondTrust users who have yet to implement the December 2024 fix are encouraged to do so without delay. Rapid7 has also disseminated comprehensive advisories regarding both zero-day vulnerabilities and provided indicators of compromise, including specific error messages in logs that may signify the exploitation of CVE-2025-1094 on BeyondTrust Remote Support instances.
Image Credits: Photo by Markus Spiske on Pexels
