PostgreSQL Zero-Day Exploited Alongside BeyondTrust in Targeted Attacks
A SQL injection zero-day in PostgreSQL's interactive tool was exploited alongside the BeyondTrust Remote Support zero-day to compromise US Treasury Department systems.
CVE References
Affected
What happened: Rapid7 researchers discovered that the December 2024 compromise of the US Treasury Department involved not just the known BeyondTrust Remote Support vulnerability but also a previously unknown SQL injection zero-day in PostgreSQL. The PostgreSQL flaw was a critical component of the exploitation chain, enabling remote code execution through BeyondTrust's database backend.
Technical details: CVE-2025-1094 is a SQL injection vulnerability in PostgreSQL's interactive terminal (psql) and related libraries, caused by improper handling of quoting syntax in certain character encoding configurations. When chained with CVE-2024-12356, the BeyondTrust command injection flaw, it allows unauthenticated attackers to achieve remote code execution. The attack leveraged the BeyondTrust SaaS platform's PostgreSQL database to inject and execute arbitrary OS commands.
Who is affected: Organizations running PostgreSQL with affected character encoding configurations, and particularly those using BeyondTrust Remote Support and Privileged Remote Access. The US Treasury Department's Office of Financial Research and Office of Foreign Assets Control (OFAC) were confirmed targets in the original campaign attributed to Chinese state-sponsored actors.
What defenders should do: Update PostgreSQL to versions 17.3, 16.7, 15.11, 14.16, or 13.19 which fix CVE-2025-1094. Apply BeyondTrust patches for CVE-2024-12356. Audit database configurations, especially character encoding settings. Review database access logs for suspicious SQL injection patterns. Organizations using BeyondTrust products should conduct forensic analysis if they were running unpatched versions.
Broader implications: This discovery reveals that the Treasury Department breach was more sophisticated than initially reported, involving a technique that chained application-level and database-level vulnerabilities. The finding highlights the importance of thorough root cause analysis in incident response, as the PostgreSQL zero-day might have gone undetected if researchers had stopped investigating after the BeyondTrust flaw.
Sources