PostgreSQL Zero-Day Exploited in BeyondTrust Cyberattack

Security researchers from Rapid7 revealed that attackers used a previously unknown PostgreSQL vulnerability (CVE-2025-1094) as a zero-day to exploit BeyondTrust’s systems in December 2024.

BeyondTrust confirmed that hackers breached its network and 17 Remote Support SaaS instances using two zero-day vulnerabilities (CVE-2024-12356 and CVE-2024-12686) along with a stolen API key.

In early January, the U.S. Treasury disclosed a breach linked to the same attack, later attributed to Chinese state-sponsored group Silk Typhoon, which targeted sensitive government offices handling foreign investments and sanctions.

During their investigation, Rapid7 discovered that CVE-2024-12356 was exploited alongside CVE-2025-1094, a PostgreSQL SQL injection flaw caused by improper handling of invalid byte sequences.

Although BeyondTrust classified CVE-2024-12356 as a command injection flaw, Rapid7 argues it is more accurately described as an argument injection vulnerability.

Rapid7 also found that CVE-2025-1094 could be exploited independently of CVE-2024-12356, but BeyondTrust's patch for the latter indirectly prevents both vulnerabilities from being used.

To mitigate risks, U.S. agencies were ordered to secure their systems, and PostgreSQL has since patched CVE-2025-1094 to close this security gap.

Read more...

Read More

Comments

Loading... Logging you in...
  • Logged in as
There are no comments posted yet. Be the first one!

Post a new comment

Comments by