Researchers discovered a high-severity SQL injection bug in the PostgreSQL interactive tool (psql) that was exploited alongside a zero-day vulnerability in BeyondTrust software during the December US Treasury hack. The bug, CVE-2025-1094, affected all versions of psql and allowed attackers to achieve remote code execution. While BeyondTrust patched its zero-day vulnerability, the patch didn't address the root cause of the psql bug. Rapid7 reported the vulnerability to PostgreSQL, and the latest versions released on February 13th address the issue.
A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say. Rapid7's principal security researcher, Stephen Fewer, disclosed CVE-2025-1094 on Thursday, saying it was a key part of the exploit chain that also included the BeyondTrust zero-day .
"Rapid7 discovered that in every scenario we tested, a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution," "While CVE-2024-12356 was patched by BeyondTrust in December 2024, and this patch successfully blocks exploitation of both CVE-2024-12356 and CVE-2025-1094, the patch did not address the root cause of CVE-2025-1094, which remained a zero-day until Rapid7 discovered and reported it to PostgreSQL." According to Rapid7's director of vulnerability intelligence, Caitlin Condon, CVE-2025-1094 affects all versions of the PostgreSQL interactive tool, but, fortunately, it isn't particularly simple to exploit. Given the complexity of the exploit pattern, Rapid7 doesn't expect attacks to be carried out away from the BeyondTrust versions already known to be vulnerable.via Mastodon:"But with the above said, it's clear that the adversaries who perpetrated the December attack really knew the target technology, which is yet another example of a zero-day exploit trend Rapid7 started tracking in 2023." The vulnerability in the PostgreSQL interactive tool can lead to arbitrary code execution and there is also a technique to exploit it independently from CVE-2024-12356. Rapid7 said BeyondTrust's patch for its zero-day didn't address the root cause of the psql bug, but it does prevent the two from being exploited together.However, the researcher discovered that a malicious input can still be executed by the psql tool under specific conditions as part of a SQL statement.February's Patch Tuesday sees Microsoft offer just 63 fixes Fewer said:"Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection." Running meta-commands can extend psql's functionality, and it's through these that an attacker can feasibly achieve ACE by using the exclamation mark meta-command to execute a shell command on the operating system. Attackers can also use the vulnerability to execute SQL statements of their choosing.of both vulnerabilities can be found on AttackerKB, which details all the important indicators of compromise and remediation steps. However, to summarize, users should apply the latest versions, released on February 13, to keep themselves safe. She said:"One teeny tiny last semi-personal note – this is one of the most straightforward disclosure timelines we've been able to put in a blog in a while, which is extra nice and also makes me extra grateful to the PostgreSQL dev group." ®Netgear fixes critical bugs as Five Eyes warn about break-ins at the edgeUS news org still struggling to print papers a week after 'cybersecurity event'US lawmakers press Trump admin to oppose UK's order for Apple iCloud backdoorGilmore Girls fans nabbed as Eurocops dismantle two major cybercrime forums
SQL Injection Zero-Day Exploit Postgresql Remote Code Execution Beyondtrust
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Microsoft builds open source document database on PostgreSQL, suggests FerretDB as front endWe're not in Kansas anymore
Read more »
Microsoft Embraces Open Source with Document Database Built on PostgreSQLMicrosoft has made a significant move into the open-source world by launching a document database platform powered by PostgreSQL. This new platform, along with the FerretDB open-source interface, offers developers a flexible and high-performing alternative to traditional document databases. The platform's open governance, combined with performance enhancements, positions it as a potential challenger to established players like MongoDB.
Read more »
Federal judge tightens DOGE leash over critical Treasury payment system accessLawsuit: 'Scale of intrusion into individuals' privacy is massive and unprecedented'
Read more »
DOGE Access to US Treasury Payment Systems Temporarily Restricted Following LawsuitElon Musk's Department of Government Efficiency (DOGE) faces legal scrutiny after gaining access to sensitive US Treasury payment systems. Advocacy groups allege improper disclosure of personal and financial data, raising concerns about privacy violations and government transparency.
Read more »
Microsoft's Open-Source PostgreSQL Extensions Blur Lines Between Relational and NoSQL DatabasesMicrosoft has taken a significant step towards blurring the lines between relational and NoSQL databases with its open-source PostgreSQL extension stack.
Read more »
Microsoft Brings Document Databases to PostgreSQL, Blurring Lines with MongoDBMicrosoft's open-source extensions for PostgreSQL aim to handle document-style data, challenging MongoDB's dominance and blurring the lines between relational and NoSQL databases.
Read more »