According to Rapid7 findings, threat actors who were responsible for the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access ( PRA ) and Remote Support ( RS ) products in December 2024 most likely also exploited a previously undiscovered SQL injection flaw in PostgreSQL.
The vulnerability, tracked as ( CVSS score: 8.1 ), affects the PostgreSQL interactive tool psql.
” An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE ) by leveraging the interactive tool’s ability to run meta-commands”, security researcher Stephen Fewer .
The cybersecurity firm added that it made the discovery as part of its investigation into , a lengthy fixed security flaw that allows for unauthenticated distant script execution.
Particularly, it found that” a effective exploit for CVE-2024-12356 had to include oppression of CVE-2025-1094 in order to achieve rural code murder”.
The PostgreSQL maintainers made a planned reporting that addressed the issue in the subsequent versions.
- PostgreSQL 17 ( Fixed in 17.3 )
- PostgreSQL 16 ( Fixed in 16.7 )
- PostgreSQL 15 ( Fixed in 15.11 )
- PostgreSQL 14 ( Fixed in 14.16 )
- PostgreSQL 13 ( Fixed in 13.19 )
The vulnerability comes from how PostgreSQL handles irrelevant UTF-8 characters, which makes it possible for an attacker to use the shortcut command””! to employ shell command execution to exploit an SQL injection.
” An intruder can utilize CVE-2025-1094 to accomplish this meta-command, thus controlling the operating system tank command that is executed”, Fewer said. ” Alternatively, an intruder who can make a SQL injection via CVE-2025-1094 may execute random attacker-controlled SQL assertions”.
The development comes as the U. S. Cybersecurity and Infrastructure Security Agency ( CISA ) a security flaw impacting SimpleHelp remote support software ( , CVSS score: 7.5 ) to the Known Exploited Vulnerabilities ( ) catalog, requiring federal agencies to apply the fixes by March 6, 2025.