Pierluigi Paganini
February 14, 2025
Rapid7 researchers discovered a high-severity SQL injection flaw, tracked as CVE-2025-1094, in PostgreSQL’s psql tool. The experts discovered the flaw while investigating the exploitation of the vulnerability CVE-2024-12356 for remote code execution. BeyondTrust patched CVE-2024-12356 in December 2024, blocking both vulnerabilities, but CVE-2025-1094 remained a zero-day until Rapid7 reported it to PostgreSQL.
The investigation into the cyberattack against BeyondTrust led to the discovery of the zero-day vulnerabilities CVE-2024-12356 and CVE-2024-12686. Threat actors exploited the flaws to take over Remote Support SaaS instances, including the Treasury Department’s one.
“Rapid7 discovered that in every scenario we tested, a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order to achieve remote code execution.” reads the advisory published by Rapid7. “While CVE-2024-12356 was patched by BeyondTrust in December 2024, and this patch successfully blocks exploitation of both CVE-2024-12356 and CVE-2025-1094, the patch did not address the root cause of CVE-2025-1094, which remained a zero-day until Rapid7 discovered and reported it to PostgreSQL.”
The vulnerability CVE-2025-1094 (CVSS score: 8.1) is an SQL injection issue in PostgreSQL caused by improper neutralization of quoting syntax in libpq functions (PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn()). This flaw arises when applications improperly use the function output to construct queries for psql, PostgreSQL’s interactive terminal.
The vulnerability impacts PostgreSQL versions before 17.3, 16.7, 15.11, 14.16, and 13.19, potentially allowing attackers to inject malicious SQL commands in vulnerable implementations.
CVE-2025-1094 exploits how PostgreSQL handles invalid UTF-8 characters, allowing SQL injection in psql. Attackers can then execute arbitrary code by using psql meta-commands, specifically the exclamation mark (!) command, which runs OS shell commands potentially leading to full system control.
“Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection.” continues the report. “An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool’s ability to run meta-commands. Meta-commands extend the interactive tools functionality, by providing a wide variety of additional operations that the interactive tool can perform. The meta-command, identified by the exclamation mark symbol, allows for an operating system shell command to be executed. An attacker can leverage CVE-2025-1094 to perform this meta-command, thus controlling the operating system shell command that is executed.”
PostgreSQL addressed the flaw with the release of the following versions:
Stephen Fewer, principal Security Researcher at Rapid7, discovered the vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SQL injection)
