The suspected Chinese state-sponsored hackers who breached workstations of several US Treasury employees in December 2024 did so by leveraging not one, but two zero-days, according to Rapid7 researchers.
It was initially reported that the attackers compromised the Treasury’s BeyondTrust Remote Support SaaS instances via CVE-2024-12356, a previously unknown unauthenticated command injection vulnerability.
But, as Rapid7 researchers discovered (and confirmed by testing), “a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution.”
About CVE-2025-1094
CVE-2025-1094 is a vulnerability stemming from how the PostgreSQL interactive tool (psql) handles certain invalid byte sequences from invalid UTF-8 characters, and can be leveraged for SQL injection.
“An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool’s ability to run meta-commands,” Stephen Fewer, Principal Security Researcher at Rapid7, explained.
“The meta-command, identified by the exclamation mark symbol, allows for an operating system shell command to be executed. Alternatively, an attacker who can generate a SQL injection via CVE-2025-1094 can execute arbitrary attacker-controlled SQL statements.”
During his research, he also discovered that before BeyondTrust released the patch for CVE-2024-12356 in mid-December 2024, CVE-2025-1094 was also exploitable on vulnerable Remote Support targets without leveraging CVE-2024-12356.
Fixes are available
The PostgreSQL team has been notified and they issued fixes for CVE-2025-1094 on February 13, 2025.
The good news is that the BeyondTrust December patches also mitigated the risk of attackers leveraging the PostgreSQL zero-day to target BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions.
Caitlin Condon, vulnerability research director at Rapid7, also says that CVE-2025-1094 is non-trivial to exploit and that they don’t expect to see it exploited in PostgreSQL implementations outside known-vulnerable BeyondTrust RS and PRA versions.
But, she added, “it’s clear that the adversaries who perpetrated the December attack *really* knew the target technology.”
PostgreSQL users are advised to upgrade to a fixed PostgreSQL version: 17.3, 16.7, 15.11, 14.16, or 13.19.
BeyondTrust users that haven’t yet implement the December 2024 fix should do so promptly. Rapid7 has released technical details on both zero-days, and has shared indicators of compromise (error messages in logs) that could point to CVE-2025-1094 having been exploited on BeyondTrust Remote Support instances.
