PostgreSQL flaw exploited as zero-day in BeyondTrust breach
Rapid7's vulnerability research team says attackers exploited a PostgreSQL security flaw as a zero-day to breach the network of privileged access management company BeyondTrust in December.
BeyondTrust revealed that attackers breached its systems and 17 Remote Support SaaS instances in early December using two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
Less than one month later, in early January, the U.S. Treasury Department disclosed that its network was breached by threat actors who used a stolen Remote Support SaaS API key to compromise its BeyondTrust instance.
Since then, the Treasury breach has been linked to Chinese state-backed hackers tracked as Silk Typhoon, a cyber-espionage group involved in reconnaissance and data theft attacks that became widely known after hacking an estimated 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.
The Chinese hackers specifically targeted the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks, and the Office of Foreign Assets Control (OFAC), which administers trade and economic sanctions programs.
They also hacked into the Treasury's Office of Financial Research systems, but the impact of this incident is still being assessed.
Silk Typhoon is believed to have used their access to Treasury's BeyondTrust instance to steal "unclassified information relating to potential sanctions actions and other documents."
On December 19, CISA added the CVE-2024-12356 vulnerability to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies secure their networks against ongoing attacks within a week. The cybersecurity agency also ordered federal agencies to patch their systems against CVE-2024-12686 on January 13.
PostgreSQL zero-day linked to BeyondTrust breach
While analyzing CVE-2024-12356, the Rapid7 team uncovered a new zero-day vulnerability in PostgreSQL (CVE-2025-1094), which was reported on January 27 and patched on Thursday. CVE-2025-1094 allows SQL injections when the PostgreSQL interactive tool reads untrusted input, as it incorrectly processes specific invalid byte sequences from invalid UTF-8 characters.
"Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns," the PostgreSQL security team explains.
"Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL."
Rapid7's tests showed that successfully exploiting CVE-2024-12356 to achieve remote code execution requires using CVE-2025-1094, suggesting that the exploit associated with BeyondTrust RS CVE-2024-12356 relied on the exploitation of PostgreSQL CVE-2025-1094.
Additionally, while BeyondTrust said CVE-2024-12356 is a command injection vulnerability (CWE-77), Rapid7 argues that it would be more accurately classified as an argument injection vulnerability (CWE-88).
Rapid7 security researchers have also identified a method to exploit CVE-2025-1094 for remote code execution in vulnerable BeyondTrust Remote Support (RS) systems independently of the CVE-2024-12356 argument injection vulnerability.
More importantly, they've found that while BeyondTrust's patch for CVE-2024-12356 does not address CVE-2025-1094's root cause, it successfully prevents the exploitation of both vulnerabilities.
"We have also learnt that it is possible to exploit CVE-2025-1094 in BeyondTrust Remote Support without the need to leverage CVE-2024-12356," Rapid7 said. "However, due to some additional input sanitation that the patch for CVE-2024-12356 employs, exploitation will still fail."
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
CWE-794 Incomplete Filtering of Multiple Instances of Special Elements
CWE-914 Improper Control of Dynamically-Identified Variables
HighCWE-209 Generation of Error Message Containing Sensitive Information
CWE-161 Improper Neutralization of Multiple Leading Special Elements
HighCWE-378 Creation of Temporary File With Insecure Permissions
CWE-1247 Improper Protection Against Voltage and Clock Glitches
Free online web security scanner
