Rapid7 security researchers have also identified a method to exploit CVE-2025-1094 for remote code execution in vulnerable BeyondTrust Remote Support (RS) systems independently of the CVE-2024-12356 argument injection vulnerability. Rapid7's tests showed that successfully exploiting CVE-2024-12356 to achieve remote code execution requires using CVE-2025-1094, suggesting that the exploit associated with BeyondTrust RS CVE-2024-12356 relied on the exploitation of PostgreSQL CVE-2025-1094. Rapid7's vulnerability research team says attackers exploited a PostgreSQL security flaw as a zero-day to breach the network of privileged access management company BeyondTrust in December. "We have also learnt that it is possible to exploit CVE-2025-1094 in BeyondTrust Remote Support without the need to leverage CVE-2024-12356," Rapid7 said. BeyondTrust revealed that attackers breached its systems and 17 Remote Support SaaS instances in early December using two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key. "Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns," the PostgreSQL security team explains. Additionally, while BeyondTrust said CVE-2024-12356 is a command injection vulnerability (CWE-77), Rapid7 argues that it would be more accurately classified as an argument injection vulnerability (CWE-88). Less than one month later, in early January, the U.S. Treasury Department disclosed that its network was breached by threat actors who used a stolen Remote Support SaaS API key to compromise its BeyondTrust instance. Since then, the Treasury breach has been linked to Chinese state-backed hackers tracked as Silk Typhoon, a cyber-espionage group involved in reconnaissance and data theft attacks that became widely known after hacking an estimated 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days. On December 19, CISA added the CVE-2024-12356 vulnerability to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies secure their networks against ongoing attacks within a week. While analyzing CVE-2024-12356, the Rapid7 team uncovered a new zero-day vulnerability in PostgreSQL (CVE-2025-1094), which was reported on January 27 and patched on Thursday.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 14 Feb 2025 14:20:18 +0000