Researchers have discovered that threat actors who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 also took advantage of a previously unknown SQL injection flaw in PostgreSQL, according to Rapid7.
The vulnerability, identified as CVE-2025-1094 (CVSS score: 8.1), impacts the PostgreSQL interactive tool psql.
“By exploiting CVE-2025-1094 to generate a SQL injection, attackers can achieve arbitrary code execution (ACE) through the tool’s meta-command capabilities,” explained security researcher Stephen Fewer in a blog post.
Rapid7’s investigation into CVE-2024-12356, a recently patched vulnerability in BeyondTrust software enabling unauthenticated remote code execution, revealed that successful exploitation of this flaw required leveraging CVE-2025-1094 for achieving remote code execution.
The maintainers of PostgreSQL have released updates to address the issue in the following versions:
- PostgreSQL 17 (Fixed in 17.3)
- PostgreSQL 16 (Fixed in 16.7)
- PostgreSQL 15 (Fixed in 15.11)
- PostgreSQL 14 (Fixed in 14.16)
- PostgreSQL 13 (Fixed in 13.19)
The vulnerability in PostgreSQL arises from how the system handles invalid UTF-8 characters, potentially allowing attackers to exploit SQL injection via the meta-command “\\!” for shell command execution.
“CVE-2025-1094 enables attackers to execute meta-commands, thereby controlling the shell command executed by the operating system,” Fewer added. “Alternatively, attackers can execute arbitrary SQL statements using this SQL injection.”
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a security flaw affecting SimpleHelp remote support software (CVE-2024-57727, CVSS score: 7.5) in the Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply fixes by March 6, 2025.
