PostgreSQL Vulnerability Exploited Zero-Day in Targeted Attacks

 


Threat Actors Exploit Zero-Day in BeyondTrust and Uncover New PostgreSQL SQL Injection Vulnerability

Threat actors responsible for exploiting a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 are now believed to have also leveraged a previously undisclosed SQL injection flaw in PostgreSQL, according to cybersecurity firm Rapid7.


Newly Discovered PostgreSQL Vulnerability (CVE-2025-1094)

The new vulnerability, identified as CVE-2025-1094 (CVSS score: 8.1), impacts the PostgreSQL interactive tool psql.

Security researcher Stephen Fewer explained, "An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool's ability to run meta-commands."

Rapid7 made this discovery while investigating CVE-2024-12356, a recently patched vulnerability in BeyondTrust software that allowed unauthenticated remote code execution. Their analysis revealed that successful exploitation of CVE-2024-12356 required chaining it with CVE-2025-1094 to gain full remote code execution (RCE).

PostgreSQL Releases Security Patches

In response to this critical flaw, the PostgreSQL maintainers have released security updates in the following versions:

  • PostgreSQL 17 (Fixed in 17.3)

  • PostgreSQL 16 (Fixed in 16.7)

  • PostgreSQL 15 (Fixed in 15.11)

  • PostgreSQL 14 (Fixed in 14.16)

  • PostgreSQL 13 (Fixed in 13.19)

The vulnerability stems from how PostgreSQL processes invalid UTF-8 characters, enabling attackers to exploit SQL injection through a shortcut command (\!), which permits shell command execution.

Fewer elaborated, "An attacker can leverage CVE-2025-1094 to perform this meta-command, thus controlling the operating system shell command that is executed. Alternatively, an attacker who can generate a SQL injection via CVE-2025-1094 can execute arbitrary attacker-controlled SQL statements."

CISA Adds SimpleHelp Vulnerability to KEV Catalog

Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added another security flaw impacting SimpleHelp remote support software (CVE-2024-57727, CVSS score: 7.5) to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been mandated to apply necessary security patches by March 6, 2025.

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Chinese Hackers Target U.S. Telecoms with Custom Malware in Stealthy Cyber Espionage

  Salt Typhoon Hackers Use JumbledPath to Spy on U.S. Telecom Networks A Chinese state-sponsored hacking group, Salt Typhoon (also known as ...