US Treasury Hacked via Decade-Old PostgreSQL Zero-Day
2025-03-17
The US Treasury suffered a data breach exploited via a nearly decade-old SQL injection vulnerability in PostgreSQL. The attack wasn't a simple SQL injection; it leveraged the output of an internal Postgres string escaping method fed directly into the psql command-line tool. Attackers used two bytes, `c0 27`, bypassing Beyond Trust's PAM tool and the pg_escape_string function, gaining full psql control and executing arbitrary system commands. This highlights how subtle, long-standing vulnerabilities, even in heavily scrutinized open-source projects, can lead to severe security breaches.