Full Report
Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7. The vulnerability, tracked as CVE-2025-1094 (CVSS score: 8.1), affects the PostgreSQL interactive tool psql. "An
Analysis Summary
# Vulnerability: PostgreSQL SQL Injection Leading to Code Execution
## CVE Details
- CVE ID: CVE-2025-1094
- CVSS Score: 8.1 (High)
- CWE: SQL Injection (Inferred based on description)
## Affected Systems
- Products: PostgreSQL
- Versions: PostgreSQL 17, PostgreSQL 16, PostgreSQL 15, PostgreSQL 14, PostgreSQL 13
- Configurations: Not specified, presumed to affect default installations vulnerable to this specific SQL injection flaw.
## Vulnerability Description
A previously unknown SQL injection vulnerability exists in various versions of PostgreSQL. Successful exploitation allows an attacker to execute shell commands on the underlying system due to the nature of the injection payload used.
## Exploitation
- Status: Exploited in the wild (Reportedly exploited alongside a BeyondTrust zero-day in targeted attacks).
- Complexity: Not explicitly stated, but exploitation leading to shell command execution is generally considered Medium to High complexity for a zero-day.
- Attack Vector: Network (Implied, as SQL injection is typically accessed remotely).
## Impact
- Confidentiality: High (Implied by ability to execute commands and potentially exfiltrate data)
- Integrity: High (Ability to compromise system integrity via command execution)
- Availability: High (Implied, as command execution can lead to denial of service or system compromise)
## Remediation
### Patches
- Patches are not explicitly detailed in the source material; specific fixed versions are not listed. Users must consult official PostgreSQL advisories for patch releases corresponding to CVE-2025-1094.
### Workarounds
- No specific workarounds were detailed in the provided context.
## Detection
- Indicators of compromise include unexpected command execution behavior traced back to database processes or database logs showing unusual or obfuscated input containing characters like "!" (as suggested by an exploit clue).
- Detection methods would involve monitoring database query logs for injection payloads targeting the flaw, or using WAFs/IPS systems to block known exploit patterns.
## References
- No specific vendor advisories or direct links were provided in the article summary.