Researchers have revealed that a high-severity SQL injection vulnerability in the PostgreSQL interactive tool (psql) was exploited in conjunction with a zero-day vulnerability that breached the US Treasury in December. The vulnerability, CVE-2025-1094, was discovered by Rapid7 and allows attackers to execute arbitrary code on vulnerable systems. While BeyondTrust patched the other zero-day (CVE-2024-12356) used in the attack, it did not address the root cause of CVE-2025-1094. Users are urged to update to the latest versions of PostgreSQL to mitigate this risk.
A high-severity SQL injection vulnerability in the PostgreSQL interactive tool was exploited in tandem with a zero-day vulnerability that was used to breach the U.S. Treasury in December, according to researchers. Stephen Fewer, a principal security researcher at Rapid7, disclosed CVE-2025-1094 (8.1) on Thursday, stating that it played a crucial role in the exploit chain that also included the BeyondTrust zero-day vulnerability (CVE-2024-12356).
Rapid7 discovered that in every scenario they tested, a successful exploitation of CVE-2024-12356 required the exploitation of CVE-2025-1094 to achieve remote code execution.While BeyondTrust patched CVE-2024-12356 in December 2024, and this patch successfully blocked the exploitation of both CVE-2024-12356 and CVE-2025-1094, it did not address the root cause of CVE-2025-1094, which remained a zero-day until Rapid7 discovered and reported it to PostgreSQL. According to Caitlin Condon, director of vulnerability intelligence at Rapid7, CVE-2025-1094 affects all versions of the PostgreSQL interactive tool, but thankfully, it is not particularly easy to exploit. Given the complexity of the exploit pattern, Rapid7 does not anticipate widespread attacks beyond the known vulnerable BeyondTrust versions. However, as Fewer noted via Mastodon, the adversaries who carried out the December attack clearly possessed in-depth knowledge of the target technology, highlighting a continuing trend of zero-day exploit usage that Rapid7 has been tracking since 2023.The vulnerability in the PostgreSQL interactive tool (psql) can lead to arbitrary code execution (ACE) and can also be exploited independently of CVE-2024-12356. Rapid7 stated that BeyondTrust's patch for its zero-day did not fix the root cause of the psql bug, but it does prevent both vulnerabilities from being exploited simultaneously. However, the researcher discovered that under specific conditions, a malicious input can still be executed by the psql tool as part of a SQL statement. Fewer explained that because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, combined with how invalid byte sequences within these invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection. Running meta-commands can extend psql's functionality, and through these, an attacker could potentially achieve ACE by using the exclamation mark meta-command to execute a shell command on the operating system. Attackers can also use the vulnerability to execute SQL statements of their choosing. Detailed information about both vulnerabilities, including indicators of compromise and remediation steps, can be found on AttackerKB. However, to summarize, users should apply the latest versions, released on February 13, to protect themselves. Condon added, 'One teeny tiny last semi-personal note – this is one of the most straightforward disclosure timelines we've been able to put in a blog in a while, which is extra nice (and unfortunately not the norm in recent years) and also makes me extra grateful to the PostgreSQL dev group.
SQL Injection Postgresql Zero-Day Exploit Remote Code Execution US Treasury Hack
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
The 2025 Presteigne Festival will take place from August 21 until 25 in 2025The 2025 Presteigne Festival will commemorate the 50th anniversary of the death of Dmitri Shostakovich (1906–1975), one of the most significant Russian voices of the 20th century, with a special focus on his music.
Read more »
PostgreSQL Bug Used in December US Treasury HackResearchers discovered a high-severity SQL injection bug in the PostgreSQL interactive tool (psql) that was exploited alongside a zero-day vulnerability in BeyondTrust software during the December US Treasury hack. The bug, CVE-2025-1094, affected all versions of psql and allowed attackers to achieve remote code execution. While BeyondTrust patched its zero-day vulnerability, the patch didn't address the root cause of the psql bug. Rapid7 reported the vulnerability to PostgreSQL, and the latest versions released on February 13th address the issue.
Read more »
Beyoncé UK tour 2025 - full list of dates and how to get ticketsAward-winning artist is heading to the UK to play a string of dates in London this summer
Read more »
Taylor Swift Dances The Night Away at the 2025 Grammys, Putting Feud Rumors to RestTaylor Swift had a blast at the 2025 Grammy Awards, dancing with friends, mingling with rivals, and celebrating fellow musicians' achievements. Swift's interactions with Sabrina Carpenter and Billie Eilish suggest a thawing of previously speculated feuds.
Read more »
Taylor Swift Turns Heads at the 2025 Grammys with Red Hot Dress and Unexpected Dance MovesTaylor Swift made a statement at the 2025 Grammy Awards, not only with her dazzling red sequin dress but also with her enthusiastic and somewhat unexpected dance moves. While she didn't take home a Grammy this year, she certainly made her presence felt, networking with fellow stars and industry executives.
Read more »
Marla Maples Makes Surprise Appearance at 2025 Grammy Awards Amidst Political Commentary and LGBTQ+ AdvocacyMarla Maples, Donald Trump's ex-wife, attends the 2025 Grammy Awards. The event features political commentary from host Trevor Noah and dedications to immigrant communities by Shakira and Alicia Keys. Lady Gaga also uses her platform to advocate for the LGBTQ+ community.
Read more »