PostgreSQL vulnerability discovered that was used in BeyondTrust attack
Take action: This is an interesting vulnerability. The client tool of PostgreSQL can be used in complex attacks if another flaw is present in the system. While not immediately exploitable, this is something for every PostgreSQL user to consider. No need to panic, plan a regular patch of your servers, but don't ignore this one. Someone will find another flaw.
Learn More
Rapid7 is reporting a high-severity SQL injection vulnerability in PostgreSQL's interactive terminal tool (psql) that was discovered during their investigation of a BeyondTrust exploit.
The vulnerability is tracked as CVE-2025-1094 (CVSS score 8.1) - A SQL injection vulnerability in PostgreSQL's psql tool that allows arbitrary code execution through meta-commands. It exists due to incorrect handling of invalid UTF-8 characters in PostgreSQL's string escaping routines (PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn()). When combined with how psql processes invalid byte sequences, attackers can achieve SQL injection and potentially execute arbitrary operating system commands through the psql meta-command functionality.
While the attack on BeyondTrust was primarily throuth the exploitation of BeyondTrust's CVE-2024-12356, the exploit was dependent on CVE-2025-1094 to achieve remote code execution. BeyondTrust's December 2024 patch blocked both vulnerabilities, it did not address the root cause of CVE-2025-1094, which remained a zero-day until Rapid7's discovery and report to PostgreSQL.
CVE-2025-1094 affects all PostgreSQL versions before:
- Version 17.3
- Version 16.7
- Version 15.11
- Version 14.16
- Version 13.19
The vulnerability is considered high-complexity, which may limit its exploitation outside of the known BeyondTrust attack scenario. Researchers note that the attackers who conducted the December attack are already prepared to execute such complex attacks.
