Rapid7 researchers have discovered that the Chinese state-sponsored hackers suspected of being behind the U.S. Treasury attack in December leveraged a second zero-day. It was initially believed that the attackers were able to compromise the Treasury via CVE-2024-12356, an unauthenticated command injection vulnerability. However, Rapid researchers discovered that CVE-2025-1094 must also have been used in the hack. This vulnerability is a result of how the PostgreSQL interactive tool handles certain invalid byte sequences, allowing SQL injection. 

Read more: https://www.helpnetsecurity.com/2025/02/17/a-postgresql-zero-day-was-also-exploited-in-us-treasury-hack-cve-2025-1094/