Security researchers from Rapid7 revealed that attackers used a previously unknown PostgreSQL vulnerability (CVE-2025-1094) as a zero-day to exploit BeyondTrust’s systems in December 2024.
BeyondTrust confirmed that hackers breached its network and 17 Remote Support SaaS instances using two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686) along with a stolen API key.
In early January, the U.S. Treasury disclosed a breach linked to the same attack, later attributed to Chinese state-sponsored group Silk Typhoon, which targeted sensitive government offices handling foreign investments and sanctions.
During their investigation, Rapid7 discovered that CVE-2024-12356 was exploited alongside CVE-2025-1094, a PostgreSQL SQL injection flaw caused by improper handling of invalid byte sequences.
Although BeyondTrust classified CVE-2024-12356 as a command injection flaw, Rapid7 argues it is more accurately described as an argument injection vulnerability.
Rapid7 also found that CVE-2025-1094 could be exploited independently of CVE-2024-12356, but BeyondTrust's patch for the latter indirectly prevents both vulnerabilities from being used.
To mitigate risks, U.S. agencies were ordered to secure their systems, and PostgreSQL has since patched CVE-2025-1094 to close this security gap.
