Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts discovered PostgreSQL flaw chained with BeyondTrust zeroday in targeted attacks

Threat actors are exploiting a zero-day SQL injection vulnerability in PostgreSQL, according to researchers from cybersecurity firm Rapid7. Rapid7 researchers discovered a high-severity SQL injection flaw, tracked as CVE-2025-1094, in PostgreSQL’s psql tool. The experts discovered the flaw while investigating the exploitation of the vulnerability CVE-2024-12356 for remote code execution. BeyondTrust patched CVE-2024-12356 in December […]

PostgreSQL

Threat actors are exploiting a zero-day SQL injection vulnerability in PostgreSQL, according to researchers from cybersecurity firm Rapid7.

Rapid7 researchers discovered a high-severity SQL injection flaw, tracked as CVE-2025-1094, in PostgreSQL’s psql tool. The experts discovered the flaw while investigating the exploitation of the vulnerability CVE-2024-12356 for remote code execution. BeyondTrust patched CVE-2024-12356 in December 2024, blocking both vulnerabilities, but CVE-2025-1094 remained a zero-day until Rapid7 reported it to PostgreSQL.

The investigation into the cyberattack against BeyondTrust led to the discovery of the zero-day vulnerabilities CVE-2024-12356 and CVE-2024-12686. Threat actors exploited the flaws to take over Remote Support SaaS instances, including the Treasury Department’s one.

“Rapid7 discovered that in every scenario we tested, a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution.” reads the advisory published by Rapid7. “While CVE-2024-12356 was patched by BeyondTrust in December 2024, and this patch successfully blocks exploitation of both CVE-2024-12356 and CVE-2025-1094, the patch did not address the root cause of CVE-2025-1094, which remained a zero-day until Rapid7 discovered and reported it to PostgreSQL.”

The vulnerability CVE-2025-1094 (CVSS score: 8.1) is an SQL injection issue in PostgreSQL caused by improper neutralization of quoting syntax in libpq functions (PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn()). This flaw arises when applications improperly use the function output to construct queries for psql, PostgreSQL’s interactive terminal.

The vulnerability impacts PostgreSQL versions before 17.3, 16.7, 15.11, 14.16, and 13.19, potentially allowing attackers to inject malicious SQL commands in vulnerable implementations.

CVE-2025-1094 exploits how PostgreSQL handles invalid UTF-8 characters, allowing SQL injection in psql. Attackers can then execute arbitrary code by using psql meta-commands, specifically the exclamation mark (!) command, which runs OS shell commands potentially leading to full system control.

“Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection.” continues the report. “An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool’s ability to run meta-commands. Meta-commands extend the interactive tools functionality, by providing a wide variety of additional operations that the interactive tool can perform. The meta-command, identified by the exclamation mark symbol, allows for an operating system shell command to be executed. An attacker can leverage CVE-2025-1094 to perform this meta-command, thus controlling the operating system shell command that is executed.”

PostgreSQL addressed the flaw with the release of the following versions:

  • PostgreSQL 17.3
  • PostgreSQL 16.7
  • PostgreSQL 15.11
  • PostgreSQL 14.16
  • PostgreSQL 13.19

Stephen Fewer, principal Security Researcher at Rapid7, discovered the vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SQL injection)