Rapid7’s vulnerability analysis workforce says attackers exploited a PostgreSQL safety flaw as a zero-day to breach the community of privileged entry administration firm BeyondTrust in December.
BeyondTrust revealed that attackers breached its programs and 17 Distant Help SaaS cases in early December utilizing two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
Lower than one month later, in early January, the U.S. Treasury Division disclosed that its community was breached by menace actors who used a stolen Distant Help SaaS API key to compromise its BeyondTrust occasion.
Since then, the Treasury breach has been linked to Chinese language state-backed hackers tracked as Silk Storm, a cyber-espionage group concerned in reconnaissance and knowledge theft assaults that turned broadly identified after hacking an estimated 68,500 servers in early 2021 utilizing Microsoft Trade Server ProxyLogon zero-days.
The Chinese language hackers particularly focused the Committee on International Funding in america (CFIUS), which critiques international investments for nationwide safety dangers, and the Workplace of International Property Management (OFAC), which administers commerce and financial sanctions packages.
In addition they hacked into the Treasury’s Workplace of Monetary Analysis programs, however the impression of this incident remains to be being assessed.
Silk Storm is believed to have used their entry to Treasury’s BeyondTrust occasion to steal “unclassified info regarding potential sanctions actions and different paperwork.”
On December 19, CISA added the CVE-2024-12356 vulnerability to its Identified Exploited Vulnerabilities catalog, mandating that U.S. federal companies safe their networks towards ongoing assaults inside per week. The cybersecurity company additionally ordered federal companies to patch their programs towards CVE-2024-12686 on January 13.
PostgreSQL zero-day linked to BeyondTrust breach
Whereas analyzing CVE-2024-12356, the Rapid7 workforce uncovered a brand new zero-day vulnerability in PostgreSQL (CVE-2025-1094), which was reported on January 27 and patched on Thursday. CVE-2025-1094 permits SQL injections when the PostgreSQL interactive device reads untrusted enter, because it incorrectly processes particular invalid byte sequences from invalid UTF-8 characters.
“Improper neutralization of quoting syntax in PostgreSQL libpq features PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() permits a database enter supplier to attain SQL injection in sure utilization patterns,” the PostgreSQL safety workforce explains.
“Particularly, SQL injection requires the appliance to make use of the perform outcome to assemble enter to psql, the PostgreSQL interactive terminal. Equally, improper neutralization of quoting syntax in PostgreSQL command line utility packages permits a supply of command line arguments to attain SQL injection when client_encoding is BIG5 and server_encoding is one among EUC_TW or MULE_INTERNAL.”
Rapid7’s exams confirmed that efficiently exploiting CVE-2024-12356 to attain distant code execution requires utilizing CVE-2025-1094, suggesting that the exploit related to BeyondTrust RS CVE-2024-12356 relied on the exploitation of PostgreSQL CVE-2025-1094.
Moreover, whereas BeyondTrust mentioned CVE-2024-12356 is a command injection vulnerability (CWE-77), Rapid7 argues that it might be extra precisely categorised as an argument injection vulnerability (CWE-88).
Rapid7 safety researchers have additionally recognized a way to take advantage of CVE-2025-1094 for distant code execution in susceptible BeyondTrust Distant Help (RS) programs independently of the CVE-2024-12356 argument injection vulnerability.
Extra importantly, they’ve discovered that whereas BeyondTrust’s patch for CVE-2024-12356 doesn’t deal with CVE-2025-1094’s root trigger, it efficiently prevents the exploitation of each vulnerabilities.
“We’ve additionally learnt that it’s doable to take advantage of CVE-2025-1094 in BeyondTrust Distant Help with out the necessity to leverage CVE-2024-12356,” Rapid7 mentioned. “Nonetheless, attributable to some further enter sanitation that the patch for CVE-2024-12356 employs, exploitation will nonetheless fail.”
