PostgreSQL Flaw Exploited as Zero-Day in BeyondTrust Breach
Summary:
Attackers leveraged a PostgreSQL zero-day vulnerability (CVE-2025-1094) in conjunction with two BeyondTrust flaws (CVE-2024-12356 and CVE-2024-12686) and a stolen API key to breach BeyondTrust’s network in December 2023. BeyondTrust later revealed that 17 of its Remote Support SaaS instances were affected. The attack gained further significance when, in January 2024, the U.S. Treasury Department disclosed that its systems had also been compromised using a stolen BeyondTrust Remote Support SaaS API key. The breach was attributed to Silk Typhoon, a Chinese state-backed cyber-espionage group known for conducting large-scale reconnaissance and data theft operations. Silk Typhoon previously gained notoriety in early 2021 when it exploited Microsoft Exchange Server ProxyLogon zero-days to compromise an estimated 68,500 servers worldwide.
As part of its analysis, Rapid7 discovered that the exploitation of CVE-2024-12356, initially described by BeyondTrust as a command injection vulnerability, relied on CVE-2025-1094, a PostgreSQL flaw that allows SQL injection due to improper handling of UTF-8 encoding in interactive tools. Specifically, Rapid7 found that PostgreSQL’s libpq functions (such as PQescapeLiteral() and PQescapeIdentifier()) failed to properly neutralize quoting syntax, making SQL injection possible under certain conditions. This vulnerability affected PostgreSQL command-line utilities when used in environments where client_encoding was set to BIG5 and server_encoding was either EUC_TW or MULE_INTERNAL. BeyondTrust’s CVE-2024-12356 patch did not directly fix the PostgreSQL vulnerability but introduced additional input sanitization that mitigated the exploitability of both flaws. However, Rapid7 also found that CVE-2025-1094 could be exploited independently in BeyondTrust Remote Support systems, raising concerns that similar attacks could still occur if organizations rely solely on BeyondTrust’s patch.
Security Officer Comments:
In the Treasury breach, the hackers specifically targeted high-value departments such as the Committee on Foreign Investment in the United States, which assesses foreign investments for national security risks, and the Office of Foreign Assets Control, which administers economic and trade sanctions. Additionally, they infiltrated the Treasury’s Office of Financial Research, although the full impact of that intrusion remains under assessment. Intelligence suggests that Silk Typhoon used their access to BeyondTrust’s systems to steal unclassified but sensitive information related to potential U.S. sanctions and other government documents.
Suggested Corrections:
BeyondTrust has released patches to remediate CVE-2024-12356 for the following versions:
Privileged Remote Access (PRA) version 24.3.1 and earlier
Link(s):
https://www.bleepingcomputer.com/ne...-exploited-as-zero-day-in-beyondtrust-breach/
Attackers leveraged a PostgreSQL zero-day vulnerability (CVE-2025-1094) in conjunction with two BeyondTrust flaws (CVE-2024-12356 and CVE-2024-12686) and a stolen API key to breach BeyondTrust’s network in December 2023. BeyondTrust later revealed that 17 of its Remote Support SaaS instances were affected. The attack gained further significance when, in January 2024, the U.S. Treasury Department disclosed that its systems had also been compromised using a stolen BeyondTrust Remote Support SaaS API key. The breach was attributed to Silk Typhoon, a Chinese state-backed cyber-espionage group known for conducting large-scale reconnaissance and data theft operations. Silk Typhoon previously gained notoriety in early 2021 when it exploited Microsoft Exchange Server ProxyLogon zero-days to compromise an estimated 68,500 servers worldwide.
As part of its analysis, Rapid7 discovered that the exploitation of CVE-2024-12356, initially described by BeyondTrust as a command injection vulnerability, relied on CVE-2025-1094, a PostgreSQL flaw that allows SQL injection due to improper handling of UTF-8 encoding in interactive tools. Specifically, Rapid7 found that PostgreSQL’s libpq functions (such as PQescapeLiteral() and PQescapeIdentifier()) failed to properly neutralize quoting syntax, making SQL injection possible under certain conditions. This vulnerability affected PostgreSQL command-line utilities when used in environments where client_encoding was set to BIG5 and server_encoding was either EUC_TW or MULE_INTERNAL. BeyondTrust’s CVE-2024-12356 patch did not directly fix the PostgreSQL vulnerability but introduced additional input sanitization that mitigated the exploitability of both flaws. However, Rapid7 also found that CVE-2025-1094 could be exploited independently in BeyondTrust Remote Support systems, raising concerns that similar attacks could still occur if organizations rely solely on BeyondTrust’s patch.
Security Officer Comments:
In the Treasury breach, the hackers specifically targeted high-value departments such as the Committee on Foreign Investment in the United States, which assesses foreign investments for national security risks, and the Office of Foreign Assets Control, which administers economic and trade sanctions. Additionally, they infiltrated the Treasury’s Office of Financial Research, although the full impact of that intrusion remains under assessment. Intelligence suggests that Silk Typhoon used their access to BeyondTrust’s systems to steal unclassified but sensitive information related to potential U.S. sanctions and other government documents.
Suggested Corrections:
BeyondTrust has released patches to remediate CVE-2024-12356 for the following versions:
Privileged Remote Access (PRA) version 24.3.1 and earlier
- Patch BT24-10-ONPREM1 or BT24-10-ONPREM2
- Patch BT24-10-ONPREM1 or BT24-10-ONPREM2
Link(s):
https://www.bleepingcomputer.com/ne...-exploited-as-zero-day-in-beyondtrust-breach/