SecurityWeek reports that open-source database management system PostgreSQL has been impacted by a new zero-day flaw, tracked as CVE-2025-1094, which has been leveraged as part of the attacks against vulnerable BeyondTrust Remote Support systems that impacted the U.S. Treasury Department.
Exploitation of the vulnerability — which stems from PostgreSQL interactive terminal psql's management of void byte sequences from malformed UTF-8 characters — facilitated the execution of the id command that could allow total system compromise, according to Rapid7 researchers. Despite not acknowledging zero-day attacks involving the issue, PostgreSQL has already urged users of versions before 13.19, 14.16, 15.11, 16.7, and 17.3 to immediately apply the issued patch. Such a discovery follows the Treasury Department's disclosure of a "major cybersecurity incident" in December resulting from the compromise of a BeyondTrust key used for securing a cloud-based service for its Departmental Office users. Other details regarding the extent of the Treasury Department hack remain uncertain.
