Researchers discovered a high-severity SQL injection bug in the PostgreSQL interactive tool (psql) that was exploited alongside a zero-day vulnerability in BeyondTrust software during the December US Treasury hack. The bug, CVE-2025-1094, affected all versions of psql and allowed attackers to achieve remote code execution. While BeyondTrust patched its zero-day vulnerability, the patch didn't address the root cause of the psql bug. Rapid7 reported the vulnerability to PostgreSQL, and the latest versions released on February 13th address the issue.
A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say.
"While CVE-2024-12356 was patched by BeyondTrust in December 2024, and this patch successfully blocks exploitation of both CVE-2024-12356 and CVE-2025-1094, the patch did not address the root cause of CVE-2025-1094, which remained a zero-day until Rapid7 discovered and reported it to PostgreSQL." The vulnerability in the PostgreSQL interactive tool can lead to arbitrary code execution and there is also a technique to exploit it independently from CVE-2024-12356. Rapid7 said BeyondTrust's patch for its zero-day didn't address the root cause of the psql bug, but it does prevent the two from being exploited together.However, the researcher discovered that a malicious input can still be executed by the psql tool under specific conditions as part of a SQL statement.
SQL Injection Zero-Day Exploit Postgresql Remote Code Execution Beyondtrust
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Microsoft builds open source document database on PostgreSQL, suggests FerretDB as front endWe're not in Kansas anymore
Read more »
Microsoft Embraces Open Source with Document Database Built on PostgreSQLMicrosoft has made a significant move into the open-source world by launching a document database platform powered by PostgreSQL. This new platform, along with the FerretDB open-source interface, offers developers a flexible and high-performing alternative to traditional document databases. The platform's open governance, combined with performance enhancements, positions it as a potential challenger to established players like MongoDB.
Read more »
Microsoft's Open-Source PostgreSQL Extensions Blur Lines Between Relational and NoSQL DatabasesMicrosoft has taken a significant step towards blurring the lines between relational and NoSQL databases with its open-source PostgreSQL extension stack.
Read more »
Microsoft Brings Document Databases to PostgreSQL, Blurring Lines with MongoDBMicrosoft's open-source extensions for PostgreSQL aim to handle document-style data, challenging MongoDB's dominance and blurring the lines between relational and NoSQL databases.
Read more »
Federal judge tightens DOGE leash over critical Treasury payment system accessLawsuit: 'Scale of intrusion into individuals' privacy is massive and unprecedented'
Read more »
DOGE Access to US Treasury Payment Systems Temporarily Restricted Following LawsuitElon Musk's Department of Government Efficiency (DOGE) faces legal scrutiny after gaining access to sensitive US Treasury payment systems. Advocacy groups allege improper disclosure of personal and financial data, raising concerns about privacy violations and government transparency.
Read more »