Skip to main content

Hello everyone, I would like to inform you about a recent discovery made by security researchers from RAPID7. They have found a new zero-day vulnerability in PostgreSQL, which could be used against the product in this case not Veeam but BeyondTrust Remote Support products.

The PostgreSQL team has already released a patch, you can download and install it.
The patch also includes an update for other bugs that have been reported over the past few months.

Veeam uses a PostgreSQL database so I thought it would be worth informing the community about finding and considering updating the database our backup tool uses, which is most often forgotten :)

For technical purposes, Veeam 12.3 supports versions of PostgreSQL like below (SOURCE):

  • PostgreSQL 14.x
  • PostgreSQL 15.x (PostgreSQL 15.10.1 is included in the Veeam Backup & Replication 12.3 setup)


DB UPDATE PROCEDURE:

Upgrading the SQL Database Engine Software (Microsoft SQL Server or PostgreSQL) Used by Veeam Backup & Replication

ARTICLE:
Securityweek - Rapid7 Flags New PostgreSQL Zero-Day Connected to BeyondTrust Exploitation

Bleepingcomputer: PostgreSQL flaw exploited as zero-day in BeyondTrust breach

 

PostgreSQL ARTICLES:

CVE-2025-1094 PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 Released!



 

thx ​@Mate0sh 

here is the procedure for the fix

Upgrading the SQL Database Engine Software (PostgreSQL) Used by Veeam Backup & Replication | Veeam Community Resource Hub


Hi all, a new build for PostgreSQL 15 was released four days ago (PostgreSQL 15.12 20-02-2025) to fix one serious oversight, as they wrote, introduced with the changes made to fix the CVE-2025-1094 “PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation” (related to “Improve behavior of libpq's quoting functions”), fix that was introduced exactly with the previous build PostgreSQL 15.11. Cheers.


Comment