According to research from Rapid7, in December 2024, zero-day vulnerability (PRA) and remote support (RS) products were found to be zero-day vulnerability (PRA) and remote support (RS) products. The threat actors behind the exploitation were likely misused.
The vulnerability tracked as CVE-2025-1094 (CVSS score: 8.1) affects the PostgreSQL interactive tool PSQL.
“Attackers who can generate SQL injections via CVE-2025-1094 can achieve arbitrary code execution (ACE) by leveraging the ability of interactive tools to execute meta commands.”
The cybersecurity company also noted that it made the discovery as part of its investigation into CVE-2024-12356.
Specifically, we found out that “the exploit of CVE-2024-12356 was successful, so we need to include the abuse of CVE-2025-1094 to achieve remote code execution.”
With a tuned disclosure, PostgreSQL maintainers have released an update to address the issue of the following versions –
PostgreSQL 17 (fixed to 17.3) PostgreSQL 16 (fixed to 16.7) PostgreSQL 15 (fixed to 15.11) PostgreSQL 14 (fixed to 14.16) PostgreSQL 13 (fixed to 13.19)
The vulnerability stems from the way PostgreSQL handles invalid UTF-8 characters, and therefore attackers exploit SQL injection by using the shortcut command “\!”, which allows shell commands to be executed. Open the door to a possible scenario.
“Attackers can take advantage of CVE-2025-1094 to execute this meta command and control the operating system shell commands that are executed,” he said. “Alternatively, an attacker who can generate SQL injections via CVE-2025-1094 can execute any attacker-controlled SQL statement.”
This development has added security flaws that affect the SimpleHelp Remote Support Software (CVE-2024-57727, CVSS score: 7.5) and has announced that the US Cybersecurity and Infrastructure Security Agency (CISA) will add security flaws that affect the SimpleHelp Remote Support Software (CVE-2024-57727, CVSS score: 7.5) and that the company has announced that it has a known exploitation vulnerability ( KEV) Request that the catalogue requires federal agencies be applied. Corrections made until March 6, 2025.
Source link
