Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7.
The vulnerability, tracked as CVE-2025-1094 (CVSS score: 8.1), affects the PostgreSQL interactive tool psql.
“An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool’s ability to run meta-commands,” security researcher Stephen Fewer said.
The cybersecurity company further noted that it made the discovery as part of its investigation into CVE-2024-12356, a recently patched security flaw in BeyondTrust software that allows for unauthenticated remote code execution.
Specifically, it found that “a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution.”
In a coordinated disclosure, the maintainers of PostgreSQL released an update to address the problem in the following versions –
- PostgreSQL 17 (Fixed in 17.3)
- PostgreSQL 16 (Fixed in 16.7)
- PostgreSQL 15 (Fixed in 15.11)
- PostgreSQL 14 (Fixed in 14.16)
- PostgreSQL 13 (Fixed in 13.19)
The vulnerability stems from how PostgreSQL handles invalid UTF-8 characters, thus opening the door to a scenario where an attacker could exploit an SQL injection by making use of a shortcut command “!”, which enables shell command execution.
“An attacker can leverage CVE-2025-1094 to perform this meta-command, thus controlling the operating system shell command that is executed,” Fewer said. “Alternatively, an attacker who can generate a SQL injection via CVE-2025-1094 can execute arbitrary attacker-controlled SQL statements.”
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SimpleHelp remote support software (CVE-2024-57727, CVSS score: 7.5) to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by March 6, 2025.