According to Rapid7 findings, the threat actors responsible for the December 2024 exploit of a zero-day vulnerability in BeyondTrust Privileged Remote Access ( PRA ) and Remote Support ( RS ) products likely also had the ability to exploit a previously undiscovered SQL injection flaw in PostgreSQL.
The vulnerability, tracked as ( CVSS score: 8.1 ), affects the PostgreSQL interactive tool psql.
” An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE ) by leveraging the interactive tool’s ability to run meta-commands”, security researcher Stephen Fewer .
The cybersecurity firm added that it discovered the information as part of its research into the late fixed security flaw in BeyondTrust that allows for unauthenticated distant code execution. is a security flaw in BeyondTrust.
Particularly, it found that” a effective exploit for CVE-2024-12356 had to include oppression of CVE-2025-1094 in order to achieve rural code murder”.
The maintainers of PostgreSQL an update to fix the issue in the following types in a planned publication.
- PostgreSQL 17 ( Fixed in 17.3 )
- PostgreSQL 16 ( Fixed in 16.7 )
- PostgreSQL 15 ( Fixed in 15.11 )
- PostgreSQL 14 ( Fixed in 14.16 )
- PostgreSQL 13 ( Fixed in 13.19 )
The risk comes from PostgreSQL’s handling of irrelevant UTF-8 characters, which makes it possible for an attacker to use the shortcut command””! to trigger shell command execution, allowing for an SQL injection.
” An intruder can utilize CVE-2025-1094 to accomplish this meta-command, thus controlling the operating system tank command that is executed”, Fewer said. ” Alternatively, an intruder who can make a SQL injection via CVE-2025-1094 may execute random attacker-controlled SQL claims”.
The development comes as the U. S. Cybersecurity and Infrastructure Security Agency ( CISA ) a security flaw impacting SimpleHelp remote support software ( , CVSS score: 7.5 ) to the Known Exploited Vulnerabilities ( ) catalog, requiring federal agencies to apply the fixes by March 6, 2025.