Rapid7’s vulnerability analysis workforce says attackers exploited a PostgreSQL safety flaw as a zero-day to breach the community of privileged entry administration firm BeyondTrust in December.
BeyondTrust revealed that attackers breached its programs and 17 Distant Help SaaS situations in early December utilizing two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
Lower than one month later, in early January, the U.S. Treasury Division disclosed that its community was breached by menace actors who used a stolen Distant Help SaaS API key to compromise its BeyondTrust occasion.
Since then, the Treasury breach has been linked to Chinese language state-backed hackers tracked as Silk Storm, a cyber-espionage group concerned in reconnaissance and knowledge theft assaults that turned extensively recognized after hacking an estimated 68,500 servers in early 2021 utilizing Microsoft Change Server ProxyLogon zero-days.
The Chinese language hackers particularly focused the Committee on International Funding in the US (CFIUS), which critiques overseas investments for nationwide safety dangers, and the Workplace of International Belongings Management (OFAC), which administers commerce and financial sanctions applications.
In addition they hacked into the Treasury’s Workplace of Monetary Analysis programs, however the impression of this incident remains to be being assessed.
Silk Storm is believed to have used their entry to Treasury’s BeyondTrust occasion to steal “unclassified data referring to potential sanctions actions and different paperwork.”
On December 19, CISA added the CVE-2024-12356 vulnerability to its Recognized Exploited Vulnerabilities catalog, mandating that U.S. federal companies safe their networks towards ongoing assaults inside every week. The cybersecurity company additionally ordered federal companies to patch their programs towards CVE-2024-12686 on January 13.
PostgreSQL zero-day linked to BeyondTrust breach
Whereas analyzing CVE-2024-12356, the Rapid7 workforce uncovered a brand new zero-day vulnerability in PostgreSQL (CVE-2025-1094), which was reported on January 27 and patched on Thursday. CVE-2025-1094 permits SQL injections when the PostgreSQL interactive device reads untrusted enter, because it incorrectly processes particular invalid byte sequences from invalid UTF-8 characters.
“Improper neutralization of quoting syntax in PostgreSQL libpq features PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() permits a database enter supplier to realize SQL injection in sure utilization patterns,” the PostgreSQL safety workforce explains.
“Particularly, SQL injection requires the applying to make use of the perform consequence to assemble enter to psql, the PostgreSQL interactive terminal. Equally, improper neutralization of quoting syntax in PostgreSQL command line utility applications permits a supply of command line arguments to realize SQL injection when client_encoding is BIG5 and server_encoding is certainly one of EUC_TW or MULE_INTERNAL.”
Rapid7’s assessments confirmed that efficiently exploiting CVE-2024-12356 to realize distant code execution requires utilizing CVE-2025-1094, suggesting that the exploit related to BeyondTrust RS CVE-2024-12356 relied on the exploitation of PostgreSQL CVE-2025-1094.
Moreover, whereas BeyondTrust mentioned CVE-2024-12356 is a command injection vulnerability (CWE-77), Rapid7 argues that it will be extra precisely categorized as an argument injection vulnerability (CWE-88).
Rapid7 safety researchers have additionally recognized a way to use CVE-2025-1094 for distant code execution in weak BeyondTrust Distant Help (RS) programs independently of the CVE-2024-12356 argument injection vulnerability.
Extra importantly, they’ve discovered that whereas BeyondTrust’s patch for CVE-2024-12356 doesn’t handle CVE-2025-1094’s root trigger, it efficiently prevents the exploitation of each vulnerabilities.
“Now we have additionally learnt that it’s attainable to use CVE-2025-1094 in BeyondTrust Distant Help with out the necessity to leverage CVE-2024-12356,” Rapid7 mentioned. “Nonetheless, as a consequence of some further enter sanitation that the patch for CVE-2024-12356 employs, exploitation will nonetheless fail.”