Chinese state-sponsored hackers breached the workstations of several US Treasury employees in December 2024 by utilizing two zero-day vulnerabilities, as uncovered by researchers at Rapid7.
Initially, it was reported that the attackers infiltrated the Treasury’s BeyondTrust Remote Support SaaS instances through a previously unknown unauthenticated command injection vulnerability known as CVE-2024-12356. However, further investigation by Rapid7 revealed that the exploitation of CVE-2025-1094 was also necessary to achieve remote code execution.
CVE-2025-1094 is a vulnerability related to how the PostgreSQL interactive tool (psql) handles invalid byte sequences from invalid UTF-8 characters, potentially leading to SQL injection. By exploiting this vulnerability, an attacker could execute arbitrary code or SQL statements.
Stephen Fewer, Principal Security Researcher at Rapid7, explained that an attacker could leverage the interactive tool’s meta-commands feature to execute operating system shell commands or manipulate SQL statements through CVE-2025-1094.
Before BeyondTrust released a patch for CVE-2024-12356 in mid-December 2024, it was discovered that CVE-2025-1094 could also be exploited on vulnerable Remote Support targets without the need for CVE-2024-12356.
The PostgreSQL team has since issued fixes for CVE-2025-1094, and BeyondTrust’s December patches have helped mitigate the risk of attackers exploiting the PostgreSQL zero-day on their Privileged Remote Access (PRA) and Remote Support (RS) solutions.
Caitlin Condon, vulnerability research director at Rapid7, emphasized that although CVE-2025-1094 is non-trivial to exploit, the attackers behind the December attack demonstrated a deep understanding of the technology they were targeting.
Users of PostgreSQL are advised to upgrade to the latest fixed versions, including 17.3, 16.7, 15.11, 14.16, or 13.19. Likewise, BeyondTrust users who have not yet implemented the December 2024 fix are urged to do so promptly to safeguard their systems.
Rapid7 has shared technical details on both zero-day vulnerabilities and provided indicators of compromise, such as error messages in logs, that could indicate exploitation of CVE-2025-1094 on BeyondTrust Remote Support instances.
In conclusion, the joint exploitation of CVE-2024-12356 and CVE-2025-1094 underscores the sophisticated tactics employed by threat actors, highlighting the importance of timely software updates and proactive security measures to defend against targeted cyber attacks.