02/12/2025-02/19/2025 PostgreSQL Vulnerability, New OpenSSH Flaws, Marstech1 JavaScript Implant And More.

1. PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks

Threat actors behind the December 2024 zero-day exploitation of BeyondTrust PRA and RS products likely also leveraged a newly discovered SQL injection flaw in PostgreSQL.Tracked as CVE-2025-1094 (CVSS 8.1), the vulnerability affects PostgreSQL’s interactive tool psql. Attackers can exploit it to achieve arbitrary code execution via meta-commands. Rapid7 discovered this issue while investigating CVE-2024-12356, a BeyondTrust flaw enabling unauthenticated remote code execution.

Successful exploitation of CVE-2024-12356 required CVE-2025-1094. PostgreSQL maintainers have patched the issue in versions 13.19, 14.16, 15.11, 16.7, and 17.3. The flaw stems from improper handling of invalid UTF-8 characters, allowing attackers to execute shell commands using the shortcut “!”. Meanwhile, CISA has added CVE-2024-57727, affecting SimpleHelp remote support software (CVSS 7.5), to its KEV catalog, mandating fixes by March 6, 2025.

2. New OpenSSH Flaws Expose SSH Servers to MiTM And DoS Attacks

OpenSSH has released security updates for two vulnerabilities: a man-in-the-middle (MitM) flaw (CVE-2025-26465) and a denial-of-service (DoS) issue (CVE-2025-26466). CVE-2025-26465, present since OpenSSH 6.8p1 (2014), affects clients with VerifyHostKeyDNS enabled, allowing attackers to hijack SSH sessions by forcing an out-of-memory error. Though disabled by default, it was enabled in FreeBSD from 2013–2023. CVE-2025-26466, introduced in OpenSSH 9.5p1 (2023), exploits unrestricted memory allocation during key exchange. Attackers can overload system resources by repeatedly sending small ping messages. Disabling VerifyHostKeyDNS and manually verifying SSH fingerprints are advised for security. To mitigate DoS risks, admins should enforce connection rate limits and monitor SSH traffic.

3. Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

The Lazarus Group has been linked to Marstech1, a new JavaScript implant used in targeted attacks against developers. Dubbed Marstech Mayhem by SecurityScorecard, the malware was distributed via a now-deleted GitHub profile, SuccessFriend. It collects system data and can be embedded in websites and NPM packages, posing a supply chain risk.

Active since December 2024, the attack has impacted 233 victims across the U.S., Europe, and Asia. Marstech1 targets Chromium-based browser directories, altering settings for wallets like MetaMask, Exodus, and Atomic. It can also download additional payloads and exfiltrate stolen data. The implant uses advanced obfuscation techniques to evade detection. Meanwhile, Recorded Future uncovered a related North Korean operation, PurpleBravo, targeting cryptocurrency firms through fraudulent IT hires. These workers act as insider threats, stealing data and facilitating cyberattacks. Organizations hiring North Korean IT workers risk violating sanctions and facing security threats.

4. Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software

Palo Alto Networks has patched a high-severity authentication bypass flaw in PAN-OS, tracked as CVE-2025-0108 (CVSS 7.8). The flaw allows unauthenticated attackers with network access to invoke PHP scripts via the management interface, impacting system integrity and confidentiality.

The issue stems from discrepancies in how Nginx and Apache handle requests, enabling directory traversal attacks. It affects multiple PAN-OS versions, with fixes available in 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9. GreyNoise has detected active exploitation attempts from IPs in the U.S., China, and Israel. Palo Alto Networks confirmed ongoing attacks, warning that CVE-2025-0108 can be chained with CVE-2024-9474 for unauthorized access. Users should immediately apply patches and restrict access to the management interface. Those not using OpenConfig should disable or uninstall the plugin to mitigate risk.