Rapid7’s vulnerability analysis group says attackers exploited a PostgreSQL safety flaw as a zero-day to breach the community of privileged entry administration firm BeyondTrust in December.
BeyondTrust revealed that attackers breached its methods and 17 Distant Assist SaaS situations in early December utilizing two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
Lower than one month later, in early January, the U.S. Treasury Division disclosed that its community was breached by risk actors who used a stolen Distant Assist SaaS API key to compromise its BeyondTrust occasion.
Since then, the Treasury breach has been linked to Chinese language state-backed hackers tracked as Silk Hurricane, a cyber-espionage group concerned in reconnaissance and knowledge theft assaults that grew to become extensively recognized after hacking an estimated 68,500 servers in early 2021 utilizing Microsoft Change Server ProxyLogon zero-days.
The Chinese language hackers particularly focused the Committee on International Funding in the USA (CFIUS), which evaluations overseas investments for nationwide safety dangers, and the Workplace of International Property Management (OFAC), which administers commerce and financial sanctions applications.
In addition they hacked into the Treasury’s Workplace of Monetary Analysis methods, however the impression of this incident continues to be being assessed.
Silk Hurricane is believed to have used their entry to Treasury’s BeyondTrust occasion to steal “unclassified data referring to potential sanctions actions and different paperwork.”
On December 19, CISA added the CVE-2024-12356 vulnerability to its Identified Exploited Vulnerabilities catalog, mandating that U.S. federal businesses safe their networks towards ongoing assaults inside every week. The cybersecurity company additionally ordered federal businesses to patch their methods towards CVE-2024-12686 on January 13.
PostgreSQL zero-day linked to BeyondTrust breach
Whereas analyzing CVE-2024-12356, the Rapid7 group uncovered a brand new zero-day vulnerability in PostgreSQL (CVE-2025-1094), which was reported on January 27 and patched on Thursday. CVE-2025-1094 permits SQL injections when the PostgreSQL interactive software reads untrusted enter, because it incorrectly processes particular invalid byte sequences from invalid UTF-8 characters.
“Improper neutralization of quoting syntax in PostgreSQL libpq features PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() permits a database enter supplier to attain SQL injection in sure utilization patterns,” the PostgreSQL safety group explains.
“Particularly, SQL injection requires the appliance to make use of the perform outcome to assemble enter to psql, the PostgreSQL interactive terminal. Equally, improper neutralization of quoting syntax in PostgreSQL command line utility applications permits a supply of command line arguments to attain SQL injection when client_encoding is BIG5 and server_encoding is one among EUC_TW or MULE_INTERNAL.”
Rapid7’s exams confirmed that efficiently exploiting CVE-2024-12356 to attain distant code execution requires utilizing CVE-2025-1094, suggesting that the exploit related to BeyondTrust RS CVE-2024-12356 relied on the exploitation of PostgreSQL CVE-2025-1094.
Moreover, whereas BeyondTrust mentioned CVE-2024-12356 is a command injection vulnerability (CWE-77), Rapid7 argues that it could be extra precisely categorized as an argument injection vulnerability (CWE-88).
Rapid7 safety researchers have additionally recognized a way to take advantage of CVE-2025-1094 for distant code execution in weak BeyondTrust Distant Assist (RS) methods independently of the CVE-2024-12356 argument injection vulnerability.
Extra importantly, they’ve discovered that whereas BeyondTrust’s patch for CVE-2024-12356 doesn’t handle CVE-2025-1094’s root trigger, it efficiently prevents the exploitation of each vulnerabilities.
“We have now additionally learnt that it’s potential to take advantage of CVE-2025-1094 in BeyondTrust Distant Assist with out the necessity to leverage CVE-2024-12356,” Rapid7 mentioned. “Nevertheless, attributable to some extra enter sanitation that the patch for CVE-2024-12356 employs, exploitation will nonetheless fail.”