Zero-Day Flaw in PostgreSQL Exploited to Target BeyondTrust Systems

The cybersecurity landscape was recently shaken by the disclosure of a critical PostgreSQL vulnerability that was exploited as a zero-day in the BeyondTrust breach. This breach, which affected the privileged access management company BeyondTrust, was carried out in December using multiple zero-day vulnerabilities, including CVE-2024–12356 and CVE-2024–12686, along with a stolen API key. The attack has since been linked to Chinese state-sponsored hackers known as Silk Typhoon, who have a history of conducting sophisticated cyber-espionage campaigns.

The BeyondTrust Breach: A Timeline of Events

BeyondTrust disclosed that attackers gained unauthorized access to its systems and 17 Remote Support SaaS instances in early December 2024. This breach had far-reaching consequences, as less than a month later, the U.S. Treasury Department confirmed that its network had also been compromised due to the use of a stolen BeyondTrust Remote Support SaaS API key.

The Treasury breach was later attributed to Silk Typhoon, a Chinese cyber-espionage group known for reconnaissance and data theft operations. This group gained notoriety after exploiting Microsoft Exchange Server ProxyLogon zero-days in 2021, affecting approximately 68,500 servers worldwide.

Among the key targets of this breach were:

• The Committee on Foreign Investment in the United States (CFIUS), which oversees foreign investments for national security risks.
• The Office of Foreign Assets Control (OFAC), which manages trade and economic sanctions programs.
• The Treasury’s Office of Financial Research, although the full impact of the breach on this division remains unclear.
• According to security analysts, Silk Typhoon likely used their access to BeyondTrust’s instance to exfiltrate sensitive unclassified information, including potential sanctions data and other high-value documents.

PostgreSQL Zero-Day and Its Role in the Breach

During an investigation into CVE-2024–12356, security researchers at Rapid7 uncovered an additional zero-day vulnerability in PostgreSQL, designated CVE-2025–1094. This flaw, reported on January 27 and patched on February 15, was crucial in the exploitation of BeyondTrust’s systems.

CVE-2025–1094 is an SQL injection vulnerability in PostgreSQL’s interactive tool. It arises from improper handling of certain invalid UTF-8 byte sequences, allowing attackers to inject and execute arbitrary SQL commands. The PostgreSQL security team provided the following explanation:

“Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns.”

This means that an attacker could leverage this vulnerability under specific conditions, particularly when interacting with the PostgreSQL interactive terminal. Additionally, vulnerabilities within PostgreSQL command-line utilities allowed attackers to execute malicious code when certain encoding configurations were used.

How CVE-2024–12356 and CVE-2025–1094 Were Exploited

Rapid7 researchers confirmed that successful exploitation of CVE-2024–12356 for remote code execution depended on leveraging the PostgreSQL vulnerability CVE-2025–1094. Their findings suggest that the attack on BeyondTrust Remote Support SaaS was carried out using a combination of these vulnerabilities, highlighting a sophisticated exploitation chain.

Furthermore, while BeyondTrust classified CVE-2024–12356 as a command injection vulnerability (CWE-77), Rapid7 argued that it should instead be classified as an argument injection vulnerability (CWE-88). This misclassification could have implications for how such vulnerabilities are detected and mitigated in the future.

Additionally, Rapid7’s researchers demonstrated that CVE-2025–1094 could be exploited independently of CVE-2024–12356 to achieve remote code execution on vulnerable BeyondTrust Remote Support (RS) systems. This means that even without leveraging CVE-2024–12356, attackers could still exploit BeyondTrust systems if CVE-2025–1094 remained unpatched.

BeyondTrust’s Response and Patch Effectiveness

Following the discovery of these vulnerabilities, BeyondTrust quickly moved to issue patches. However, while BeyondTrust’s patch for CVE-2024–12356 effectively mitigated both vulnerabilities, it did not directly address the root cause of CVE-2025–1094. Instead, the additional input sanitization measures implemented in the patch for CVE-2024–12356 indirectly prevented the exploitation of CVE-2025–1094 in BeyondTrust systems.

Rapid7 provided the following statement regarding this matter:

“We have also learned that it is possible to exploit CVE-2025–1094 in BeyondTrust Remote Support without the need to leverage CVE-2024–12356. However, due to some additional input sanitation that the patch for CVE-2024–12356 employs, exploitation will still fail.”

This means that while BeyondTrust users are currently protected from exploitation of CVE-2025–1094 due to patching CVE-2024–12356, other applications and systems that rely on PostgreSQL may still be vulnerable.

Broader Implications of the PostgreSQL Flaw

The exploitation of PostgreSQL in the BeyondTrust breach underscores the growing threat of supply chain attacks and the need for proactive security measures. PostgreSQL is widely used in enterprise environments, making this vulnerability a significant concern for organizations that depend on it for database management.

Key takeaways from this incident include:

Increased Threat of Zero-Day Exploits: The use of multiple zero-days in the BeyondTrust breach highlights how sophisticated threat actors continue to find and weaponize vulnerabilities before patches are available.

Supply Chain Risks: Organizations relying on third-party software must adopt rigorous security assessments and ensure timely patching of dependencies like PostgreSQL.

Strengthened Security Measures: Government agencies and businesses should implement additional layers of protection, such as Web Application Firewalls (WAFs), strict input validation, and continuous monitoring for suspicious activities.

Proactive Vulnerability Management: Security teams must actively track CVE disclosures and prioritize patching based on exploitability and potential business impact.

Conclusion

The PostgreSQL zero-day CVE-2025–1094 played a pivotal role in the BeyondTrust breach, facilitating remote code execution alongside CVE-2024–12356. The breach not only compromised BeyondTrust’s infrastructure but also led to unauthorized access to sensitive U.S. Treasury data. This incident highlights the critical need for timely vulnerability patching and comprehensive security monitoring to prevent similar attacks in the future.

Organizations using PostgreSQL should immediately apply the latest patches and evaluate their security postures to mitigate the risk of exploitation. As state-sponsored threat actors continue to refine their tactics, a proactive and layered cybersecurity approach remains essential in defending against emerging threats.