CyberSecurity news

FlagThis - #postgresql

@csoonline.com //
A high-severity SQL injection vulnerability, identified as CVE-2025-1094, has been discovered in PostgreSQL's psql interactive tool. Rapid7 researchers found that threat actors exploited this zero-day flaw in conjunction with a BeyondTrust vulnerability (CVE-2024-12356) during targeted attacks in December 2024. Specifically, attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL.

This vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to OS command execution. The flaw stems from how PostgreSQL handles invalid UTF-8 characters, which allows attackers to inject malicious code via a shortcut command "\!". Rapid7 discovered that successful exploitation of the BeyondTrust vulnerability required exploiting CVE-2025-1094 to achieve remote code execution. Patches have been released for PostgreSQL versions 13 through 17 to address this issue, and users are advised to upgrade their database servers immediately.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The Register - Security: High-complexity bug unearthed by infoseccers, as Rapid7 probes exploit further A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say.…
  • Caitlin Condon: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation
  • securityaffairs.com: Threat actors are exploiting a zero-day SQL injection vulnerability in PostgreSQL, according to researchers from cybersecurity firm Rapid7.
  • The Hacker News: Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7.
  • www.csoonline.com: PostgreSQL patches SQLi vulnerability likely exploited in BeyondTrust attacks
  • infosec.exchange: New vuln disclosure c/o : CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting on its relation to BeyondTrust exploitation
  • MSSP feed for Latest: New PostgreSQL Zero-Day Potentially Leveraged in BeyondTrust Attacks
  • www.scworld.com: New PostgreSQL zero-day potentially leveraged in BeyondTrust attacks
  • Talkback Resources: Rapid7 discovered a zero-day vulnerability in PostgreSQL's psql terminal (CVE-2025-1094) enabling SQL injection, exploited in attacks on BeyondTrust Remote Support systems, compromising US Treasury Department machines.
  • Caitlin Condon: CVE-2025-1094 affects all supported versions of PostgreSQL
  • Open Source Security: Hi, As announced on February 13 in: This vulnerability is related to BeyondTrust CVE-2024-12356: In Caitlin Condon's words in the thread above: The referenced Rapid7 blog post:
  • www.postgresql.org: PostgreSQL security announcement about CVE-2025-1094.
  • Open Source Security: Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection
  • securityonline.info: Metasploit-Ready: CVE-2025-1094 SQLi in PostgreSQL Exposes Systems to Remote Attacks
  • securityonline.info: Metasploit-Ready: CVE-2025-1094 SQLi in PostgreSQL Exposes Systems to Remote Attacks
  • Caitlin Condon: Infosec.exchange post linking to various resources related to CVE-2025-1094 in PostgreSQL.
  • www.postgresql.org: PostgreSQL announcement about PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 releases fixing CVE-2025-1094
Classification:
@csoonline.com //
A critical zero-day vulnerability, identified as CVE-2025-1094, has been discovered in the open-source database management system PostgreSQL. This SQL injection flaw, found in PostgreSQL's psql terminal, was actively exploited in conjunction with a separate zero-day vulnerability, CVE-2024-12356, affecting BeyondTrust Remote Support systems. The combined exploitation of these vulnerabilities enabled attackers to achieve remote code execution, leading to potential system compromise.

Rapid7 researchers discovered that the PostgreSQL flaw stems from the interactive terminal psql's handling of malformed UTF-8 characters, which allows attackers to inject malicious SQL commands. This vulnerability was leveraged in attacks targeting the U.S. Treasury Department, highlighting the severity of the threat. PostgreSQL has urged users of versions before 13.19, 14.16, 15.11, 16.7, and 17.3 to immediately apply the issued patch to mitigate the risk of exploitation.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The Hacker News: PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks
  • www.csoonline.com: PostgreSQL patches SQLi vulnerability likely exploited in BeyondTrust attacks
  • MSSP feed for Latest: New PostgreSQL Zero-Day Potentially Leveraged in BeyondTrust Attacks
  • www.scworld.com: New PostgreSQL zero-day potentially leveraged in BeyondTrust attacks
  • securityaffairs.com: Experts discovered PostgreSQL flaw chained with BeyondTrust zeroday in targeted attacks
  • Talkback Resources: Rapid7 discovered a zero-day vulnerability in PostgreSQL's psql terminal (CVE-2025-1094) enabling SQL injection, exploited in attacks on BeyondTrust Remote Support systems, compromising US Treasury Department machines.
Classification:
SC Staff@scmagazine.com //
An ongoing cryptomining campaign, attributed to the threat actor JINX-0126, has successfully compromised over 1,500 internet-exposed PostgreSQL servers. Attackers are exploiting instances with weak credentials, allowing them to deploy XMRig-C3 cryptocurrency miners using fileless techniques. This campaign is an evolution of the PG_MEM malware activity, initially detected in August, and demonstrates sophisticated evasion tactics. These include deploying binaries with unique hashes per target and executing the miner payload filelessly.

Cloud security firm Wiz, has identified that attackers are abusing the "COPY ... FROM PROGRAM SQL" command to execute arbitrary shell commands. Once authenticated, attackers conduct reconnaissance, deploy a shell script to eliminate competing cryptominers, and deliver the pg_core binary. A Golang binary called "postmaster" is also downloaded, enabling persistence, privilege escalation, and the execution of a new XMRig cryptominer variant, highlighting the risks of weak PostgreSQL configurations in cloud environments. This campaign could have leveraged over 1,500 compromised machines.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • gbhackers.com: A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, leveraging fileless techniques to deploy cryptomining payloads.
  • The Hacker News: Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign
  • www.scworld.com: More than 1,500 internet-exposed PostgreSQL instances have been compromised with cryptocurrency mining malware as part of an ongoing JINX-0126 attack campaign, which is an evolution of PG_MEM malware activity initially detected by Aqua Security in August, The Hacker News reports.
  • Wiz Blog | RSS feed: Cloud environments at risk: Attackers target weak PostgreSQL instances with fileless cryptominer payloads.
  • securityonline.info: PostgreSQL Servers Hacked: 1,500+ Cloud Systems Mining Crypto via CPU_HU
  • Security Risk Advisors: CPU_HU Fileless Cryptominer Targets PostgreSQL Servers, Affects Over 1,500 Victims
Classification:
  • HashTags: #cryptomining #PostgreSQL #filelessmalware
  • Company: Wiz
  • Target: PostgreSQL servers
  • Attacker: JINX-0126
  • Product: PostgreSQL
  • Feature: Fileless Cryptomining
  • Malware: XMRig-C3
  • Type: Malware
  • Severity: Major