The suspected Chinese state-sponsored hackers who compromised the workstations of several US Treasury employees in December 2024 did so by leveraging not one, but two zero-days, according to Rapid7 researchers. Initially, it was believed that the attackers compromised the Treasury’s BeyondTrust Remote Support SaaS instances via CVE-2024-12356, a previously unknown unauthenticated command injection vulnerability. However, Rapid7 researchers discovered that a successful exploit for CVE-2024-12356 also required the exploitation of a second vulnerability, CVE-2025-1094, in order to achieve remote code execution.
CVE-2025-1094 is a vulnerability stemming from how the PostgreSQL interactive tool (psql) handles certain invalid byte sequences from invalid UTF-8 characters. This can be leveraged for SQL injection. Stephen Fewer, Principal Security Researcher at Rapid7, explained that an attacker who can generate a SQL injection via CVE-2025-1094 can achieve arbitrary code execution by leveraging the interactive tool’s ability to run meta-commands.
The meta-command, identified by the exclamation mark symbol, allows for an operating system shell command to be executed.
PostgreSQL zero-day exploited in attack
Alternatively, an attacker can execute arbitrary attacker-controlled SQL statements.
The PostgreSQL team was notified and released a fix for CVE-2025-1094 on February 13, 2025. The BeyondTrust December patches also mitigate the risk of attackers leveraging the PostgreSQL zero-day to target BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions. Caitlin Condon, vulnerability research director at Rapid7, noted that CVE-2025-1094 is non-trivial to exploit, and they don’t expect it to be exploited in PostgreSQL implementations outside of the known vulnerable BeyondTrust RS and PRA versions.
It’s clear that the adversaries who perpetrated the December attack were very familiar with the target technology.”
PostgreSQL users are advised to upgrade to a fixed PostgreSQL version: 17.3, 16.7, 15.11, 14.16, or 13.19. BeyondTrust users who haven’t yet implemented the December 2024 fix should do so promptly. Rapid7 has released detailed advisories on both zero-days and shared indicators of compromise, such as specific error messages in logs, that could point to CVE-2025-1094 being exploited on BeyondTrust Remote Support instances.
Image Credits: Photo by Markus Spiske on Pexels
