Menace actors who have been behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Distant Entry (PRA) and Distant Assist (RS) merchandise in December 2024 doubtless additionally exploited a beforehand unknown SQL injection flaw in PostgreSQL, based on findings from Rapid7.
The vulnerability, tracked as CVE-2025-1094 (CVSS rating: 8.1), impacts the PostgreSQL interactive device psql.
“An attacker who can generate a SQL injection by way of CVE-2025-1094 can then obtain arbitrary code execution (ACE) by leveraging the interactive device’s potential to run meta-commands,” security researcher Stephen Fewer stated.
The cybersecurity firm additional famous that it made the invention as a part of its investigation into CVE-2024-12356, a lately patched security flaw in BeyondTrust software program that permits for unauthenticated distant code execution.
Particularly, it discovered that “a profitable exploit for CVE-2024-12356 needed to embody exploitation of CVE-2025-1094 to be able to obtain distant code execution.”
In a coordinated disclosure, the maintainers of PostgreSQL launched an replace to deal with the issue within the following variations –
- PostgreSQL 17 (Fastened in 17.3)
- PostgreSQL 16 (Fastened in 16.7)
- PostgreSQL 15 (Fastened in 15.11)
- PostgreSQL 14 (Fastened in 14.16)
- PostgreSQL 13 (Fastened in 13.19)
The vulnerability stems from how PostgreSQL handles invalid UTF-8 characters, thus opening the door to a state of affairs the place an attacker might exploit an SQL injection by making use of a shortcut command “!”, which allows shell command execution.
“An attacker can leverage CVE-2025-1094 to carry out this meta-command, thus controlling the working system shell command that’s executed,” Fewer stated. “Alternatively, an attacker who can generate a SQL injection by way of CVE-2025-1094 can execute arbitrary attacker-controlled SQL statements.”
The event comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added a security flaw impacting SimpleHelp distant help software program (CVE-2024-57727, CVSS rating: 7.5) to the Identified Exploited Vulnerabilities (KEV) catalog, requiring federal businesses to use the fixes by March 6, 2025.
