Rapid7’s vulnerability research team says attackers exploited a PostgreSQL security flaw as a zero-day to breach the network of privileged access management company BeyondTrust in December.
BeyondTrust revealed that attackers breached its systems and 17 Remote Support SaaS instances in early December using two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
Less than one month later, in early January, the U.S. Treasury Department disclosed that its network was breached by threat actors who used a stolen Remote Support SaaS API key to compromise its BeyondTrust instance.
Since then, the Treasury breach has been linked to Chinese state-backed hackers tracked as Silk Typhoon, a cyber-espionage group involved in reconnaissance and data theft attacks that became widely known after hacking an estimated 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.
The Chinese hackers specifically targeted the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks, and the Office of Foreign Assets Control (OFAC), which administers trade and economic sanctions programs.
They also hacked into the Treasury’s Office of Financial Research systems, but the impact of this incident is still being assessed.
Silk Typhoon is believed to have used their access to Treasury’s BeyondTrust instance to steal “unclassified information relating to potential sanctions actions and other documents.”
On December 19, CISA added the CVE-2024-12356 vulnerability to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies secure their networks against ongoing attacks within a week. The cybersecurity agency also ordered federal agencies to patch their systems against CVE-2024-12686 on January 13.
PostgreSQL zero-day linked to BeyondTrust breach
While analyzing CVE-2024-12356, the Rapid7 team uncovered a new zero-day vulnerability in PostgreSQL (CVE-2025-1094), which was reported on January 27 and patched on Thursday. CVE-2025-1094 allows SQL injections when the PostgreSQL interactive tool reads untrusted input, as it incorrectly processes specific invalid byte sequences from invalid UTF-8 characters.
“Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns,” the PostgreSQL security team explains.
“Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL.”
Rapid7’s tests showed that successfully exploiting CVE-2024-12356 to achieve remote code execution requires using CVE-2025-1094, suggesting that the exploit associated with BeyondTrust RS CVE-2024-12356 relied on the exploitation of PostgreSQL CVE-2025-1094.
Additionally, while BeyondTrust said CVE-2024-12356 is a command injection vulnerability (CWE-77), Rapid7 argues that it would be more accurately classified as an argument injection vulnerability (CWE-88).
Rapid7 security researchers have also identified a method to exploit CVE-2025-1094 for remote code execution in vulnerable BeyondTrust Remote Support (RS) systems independently of the CVE-2024-12356 argument injection vulnerability.
More importantly, they’ve found that while BeyondTrust’s patch for CVE-2024-12356 does not address CVE-2025-1094’s root cause, it successfully prevents the exploitation of both vulnerabilities.
“We have also learnt that it is possible to exploit CVE-2025-1094 in BeyondTrust Remote Support without the need to leverage CVE-2024-12356,” Rapid7 said. “However, due to some additional input sanitation that the patch for CVE-2024-12356 employs, exploitation will still fail.”
