The threatening subjects that stood in favor of operating vulnerability with zero day in products with privileged remote access (PRA) and remote support (RS) in December 2024. Probably also used an unknown SQL injection in Postgresql, according to the results Rapid7.
Vulnerability tracked as Cve-2025-1094 (CVSS assessment: 8.1) affects the interactive PostgreSQL PSQL tool.
“The attacker who can create SQL injection via CVE-2025-1094 can reach an arbitrary code (ACE) using the interactive tool’s ability to launch meta co-coat,” Stephen’s less security researcher – Note.
Next, the cybersecurity campaign noted that it made a discovery within its investigation Cve-2014-12356Recently fixed lack of safety in the logleTrust software that allows you to implement the distance code.
In particular, it turned out that “a successful feat for the CVE-2014-12356 must include the CVe-2025-1094 operation to achieve the remote code.”
In the coordinated disclosure of information support postgresql liberated Update to solve the problem in the following versions –
- PostgreSQL 17 (recorded at 17.3)
- PostgreSQL 16 (fixed at 16.7)
- PostgreSQL 15 (fixed in 15.11)
- PostgreSQL 14 (recorded in 14.16)
- PostgreSQL 13 (fixed in 13.19)
The vulnerability follows from how PostgreSQL treats the invalid UTF-8 characters, opening the door to the script when the attacker can use SQL injection using A using A Fast Access Team “\!”that allows you to execute the Shell command.
“The attacker can use the CVE-2025-1094 to perform this met high, thus controlling the operating system, which is executed,” said less. “Alternatively, an attacker who can create an SQL injection via CVE-2025-1094 can fulfill arbitrary applications for SQL-controlled attacker.”
Development occurs as a cybersecurity and infrastructure agency (CISA) added Lack of security that affects the Simplehelp remote support (Cve-2024-57727CVSS assessment: 7.5) to known exploited vulnerabilities (Ship) A catalog that requires federal agencies to apply by March 6, 2025.
