• Vulnerable U
  • Posts
  • New PostgreSQL Zero Day Found as Part of BeyondTrust Investigation

New PostgreSQL Zero Day Found as Part of BeyondTrust Investigation

Author

Newsroom
February 13, 2025

That unauthenticated remote code execution vulnerability in BeyondTrust products that was used in targeted attacks against the Treasury Department and other organizations a couple months ago turns out to have a close sibling, a bug in PostgreSQL that researchers recently discovered was a prerequisite for exploiting the BeyondTrust flaw. The maintainers of PostgreSQL have released a fix for the bug, which affects versions 13 through 17.

Why It Matters: The vulnerability is a SQL injection flaw that researcher Stephen Fewer of Rapid7 discovered while looking into the root cause of the BeyondTrust bug (CVE-2024-12356). Fewer discovered that in order to use the BeyondTrust flaw to gain remote code execution, an attacker would also need to exploit the PostgreSQL flaw. This is a previously unknown vulnerability that affects many current versions of PostgreSQL, a widely used open source database. Although the BeyondTrust patch that fixed CVE-2024-12356 incidentally prevented exploitation of the PostgreSQL bug, it did not address the root cause of the bug. 

Key Details

  • CVE-2025-1094 is the result of an “incorrect assumption that when attacker-controlled untrusted input has been safely escaped via PostgreSQL's string escaping routines, it cannot be leveraged to generate a successful SQL injection attack.”

  • “Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection. An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool’s ability to run meta-commands. Meta-commands extend the interactive tools functionality, by providing a wide variety of additional operations that the interactive tool can perform. The meta-command, identified by the exclamation mark symbol, allows for an operating system shell command to be executed. An attacker can leverage CVE-2025-1094 to perform this meta-command, thus controlling the operating system shell command that is executed,” the Rapid7 advisory says.

  • The bug affects PostgreSQL versions 13-17

  • The PostgreSQL project released fixed versions on Feb. 13

Rapid7 has released a full technical analysis of the issue on its AttackerKB site and there is also a Metasploit module available for CVE-2025-1094.