Security researchers at Rapid7 on Thursday flagged the discovery of a new zero-day vulnerability in PostgreSQL that appears to have been a critical component in a chain of attacks against a BeyondTrust Remote Support product.
The vulnerability, tagged as CVE-2025-1094, affects the PostgreSQL interactive terminal psql and allows SQL statements containing untrusted but correctly escaped input to trigger SQL injection.
In an interesting twist, Rapid7 is directly connecting the exploitation of the PostgreSQL bug to remote code execution attacks against BeyondTrust Remote Support systems. The hacks have successfully compromised machines at the US Treasury Department.
In every scenario examined, Rapid7 researchers say the BeyondTrust exploit (CVE-2024-12356) required leveraging this PostgreSQL flaw. Although BeyondTrust had issued patches for its vulnerabilities, including CVE-2024-12356 and a separate bug (CVE-2024-12686), the underlying flaw in PostgreSQL remains a concerning pivot point for attackers.
According to Rapid7 public documentation, the bug exists the way psql handles invalid byte sequences from malformed UTF-8 characters. In testing, Rapid7 researchers found that crafted invalid sequences can prematurely terminate a SQL command, allowing attackers to inject additional statements and even trigger shell execution via psql’s meta-command.
In controlled tests, the Rapid7 researchers say they were able to inject a command that executed the id command on the system, confirming the potential for full system compromise.
The PostgreSQL team released an urgent patch and warned that versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected. The project did not acknowledge the zero-day exploitation even as it credited Rapid7 with the discovery.
Rapid7 has also released a Metasploit module that fingerprints vulnerable BeyondTrust systems and automates payload delivery.
The latest twist follows news that Chinese government hackers remotely accessed US Treasury Department workstations and unclassified documents after compromising a BeyondTrust service.
While the Treasury described the situation as a “major cybersecurity incident,” the scope of the breach was not detailed, with no information on how many workstations had been compromised or what types of documents may have been accessed.
In a letter to lawmakers, Aditi Hardikar, Assistant Secretary for Management at the U.S. Department of the Treasury, said the Department learned of the problem from BeyondTrust on December 8th when the vendor said a threat actor had gained access to a key used by BeyondTrust to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users.
Treasury officials learned of the exposed key on the same day BeyondTrust publicly disclosed the compromise. A week later, BeyondTrust revealed CVE-2024-12356 — a command injection vulnerability with a CVSS score of 9.8 — that affected Remote Support and Privileged Remote Access versions 24.3.1 and earlier.
Related: CISA Warns of Second BeyondTrust Flaw Exploited in Attacks
Related: China Targeted Foreign Investment, Sanctions Offices in Treasury Hack
Related: Chinese Hackers Hit US Treasury in ‘Major’ Cybersecurity Incident
Related: CISA Urges Immediate Patching of Exploited BeyondTrust Security Bug
