Focus Friday: Third-Party Risks In PostgreSQL and Zimbra Vulnerabilities

Written by: Ferdi Gül

This week’s Focus Friday blog highlights two critical vulnerabilities impacting enterprise systems: CVE-2025-1094 in PostgreSQL and CVE-2023-34192 in Zimbra Collaboration Suite (ZCS). These vulnerabilities pose significant risks to third-party ecosystems, potentially leading to SQL injection attacks in PostgreSQL and Cross-Site Scripting (XSS) exploits in Zimbra.

As organizations continue to rely on third-party software and cloud-based platforms, understanding the implications of these security flaws is vital for effective Third-Party Risk Management (TPRM). Both vulnerabilities have been flagged due to their potential to enable unauthorized data access, account takeovers, and even remote code execution (RCE) when combined with other exploits.

In this blog, we examine the details of CVE-2025-1094 and CVE-2023-34192, outlining their impact, mitigation strategies, and TPRM considerations. We also explore how Black Kite’s FocusTags™ can help organizations rapidly assess vendor exposure and proactively mitigate risks.

CVE-2025-1094: SQL Injection Vulnerability in PostgreSQL

What is the SQL Injection Vulnerability in PostgreSQL?

A newly disclosed vulnerability, CVE-2025-1094, impacts PostgreSQL by failing to neutralize quoting syntax in specific scenarios, leading to potential SQL injection. The vulnerability affects several PostgreSQL functions, including PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(), as well as the PostgreSQL interactive terminal (psql) when encoding mismatches occur.

This vulnerability has been assigned a CVSS score of 8.1 (High), indicating that while its exploitability is currently assessed as low, the potential impact is significant. PoC exploit code is currently available.

Why Should TPRM Professionals Care About This Vulnerability?

PostgreSQL is widely used in enterprise environments, cloud databases, and web applications. A successful SQL injection attack could allow unauthorized access, data exfiltration, or remote code execution (RCE) when chained with other vulnerabilities.

Given that SQL injection is one of the most exploited attack vectors, organizations relying on PostgreSQL must assess whether they are exposed to this risk. Additionally:

• If an attacker gains control over the database, they can modify or delete sensitive records.
• In multi-tenant environments, unauthorized access to customer data can lead to compliance violations.

Attackers may use PostgreSQL functions to execute arbitrary commands if proper security configurations are not enforced.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

To determine vendor exposure and risk mitigation strategies, TPRM professionals should ask:

1. Have you updated all instances of PostgreSQL to the fixed versions (17.3, 16.7, 15.11, 14.16, 13.19) to mitigate the risk of CVE-2025-1094?
2. Can you confirm if your applications are using the affected PostgreSQL functions (PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn()) for escaping user input and subsequently constructing database queries in psql or PostgreSQL command-line utilities?
3. Have you implemented additional validation measures when constructing queries in psql using PQescapeLiteral() and similar functions to sanitize SQL inputs and prevent SQL injection attacks?
4. Have you restricted the use of BIG5, EUC_TW, or MULE_INTERNAL encodings in environments handling untrusted input to mitigate the risk of SQL injection attacks exploiting encoding mismatches?

Remediation Recommendations for Vendors Subject to This Risk

To mitigate the risk of CVE-2025-1094, vendors should:

• Upgrade PostgreSQL immediately to the fixed versions: 17.3, 16.7, 15.11, 14.16, and 13.19 (released on February 13, 2025).
• Sanitize SQL inputs: Avoid using PQescapeLiteral() and related functions unless additional validation is enforced.
• Restrict encoding mismatches: If feasible, avoid using BIG5, EUC_TW, or MULE_INTERNAL encodings in environments handling untrusted input.
• Monitor for exploitation attempts: Review database logs for unusual query patterns or unexpected encoding-related errors.
• Harden PostgreSQL configurations: Enforce least privilege principles, strict authentication policies, and disable unnecessary SQL features.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite provides FocusTags™ to help identify vendors at risk of this vulnerability. The PostgreSQL – Feb2025 tag was published on February 19, 2025, and includes:

• Affected vendors and their assets (IP addresses and subdomains).
• Risk intelligence on how this vulnerability could impact third-party services.
• The ability to operationalize this intelligence, allowing organizations to prioritize vendor outreach and mitigation efforts.

For Black Kite customers, this FocusTag enables proactive risk management, helping reduce response times and mitigate third-party exposure to CVE-2025-1094.

CVE-2023-34192: Zimbra Collaboration Suite Cross-Site Scripting (XSS) Vulnerability

What is the Zimbra Collaboration Suite XSS Vulnerability?

CVE-2023-34192 is a critical Cross-Site Scripting (XSS) vulnerability affecting Zimbra Collaboration Suite (ZCS) version 8.8.15. This flaw allows remote, authenticated attackers to inject malicious scripts via the /h/autoSaveDraft function, potentially leading to arbitrary code execution. The vulnerability has a CVSS score of 9.0 and an EPSS score of 90.09%. It was first published on May 30, 2023, and has been actively exploited in the wild. Consequently, the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog on February 25, 2025. While specific attack campaigns or threat actors exploiting this vulnerability have not been detailed, its inclusion in the KEV catalog underscores the necessity for immediate mitigation.

Why should TPRM professionals be concerned about this vulnerability?

Third-Party Risk Management (TPRM) professionals should be particularly concerned about CVE-2023-34192 due to its potential impact on email security and data integrity. Zimbra Collaboration Suite is widely used for email and collaboration services; exploitation of this vulnerability could allow attackers to compromise email communications, leading to unauthorized access to sensitive information, interception of confidential communications, and potential data breaches. The ability to execute arbitrary code also raises the risk of further network infiltration and lateral movement by malicious actors.

What questions should TPRM professionals ask vendors regarding this vulnerability?

To assess the risk and ensure appropriate mitigation measures are in place, TPRM professionals should consider asking vendors the following questions:

1. Have you applied Patch 40 to all instances of Zimbra Collaboration Suite (ZCS) version 8.8.15 to mitigate the risk of CVE-2023-34192?
2. Can you confirm that you have enabled web application firewall (WAF) protections to filter and block malicious scripts that could exploit the /h/autoSaveDraft function in Zimbra ZCS v.8.8.15?
3. Have you implemented measures to monitor system logs and user activities for indicators of exploitation, such as unauthorized script executions or abnormal session behaviors, specifically related to the CVE-2023-34192 vulnerability in Zimbra ZCS v.8.8.15?
4. Have you limited user privileges for Zimbra accounts and enforced the principle of least privilege (PoLP) to minimize exposure to the CVE-2023-34192 vulnerability?

Remediation Recommendations for Vendors Affected by This Vulnerability:

Vendors utilizing Zimbra Collaboration Suite version 8.8.15 should take the following actions to remediate CVE-2023-34192:

• Apply Patch 40: Immediately update to Patch 40, which addresses this specific vulnerability.
• Restrict User Privileges: Implement the principle of least privilege by limiting user permissions to minimize potential exploitation vectors.
• Enable Web Application Firewalls (WAF): Deploy WAFs to filter and block malicious script injections targeting the /h/autoSaveDraft function.
• Monitor System Logs: Regularly review logs for indicators of compromise, such as unauthorized script executions or abnormal user activities.
• Maintain Updated Systems: Ensure all Zimbra instances are running the latest security updates to protect against known vulnerabilities.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite has proactively addressed CVE-2023-34192 by publishing a FocusTag titled “Zimbra XSS” on February 27, 2025. This tag assists TPRM professionals in identifying and assessing potential exposure to this vulnerability within their vendor ecosystems. By utilizing Black Kite’s platform, professionals can:

• Identify At-Risk Vendors: Determine which vendors use Zimbra Collaboration Suite version 8.8.15 and assess their patch management status.
• Access Asset Information: Obtain detailed asset data, including IP addresses and subdomains, to pinpoint systems susceptible to exploitation.
• Monitor Remediation Efforts: Track vendors’ progress in applying necessary patches and implementing recommended security measures.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

In the ever-evolving cybersecurity landscape, staying ahead of vulnerabilities is crucial for Third-Party Risk Management (TPRM). Black Kite’s FocusTags™ offer organizations an intelligent way to track vendor exposure, prioritize threats, and respond effectively to cyber risks.

By leveraging FocusTags™, TPRM professionals can:

• Identify At-Risk Vendors in Real Time – Quickly determine which third-party vendors are affected by PostgreSQL and Zimbra vulnerabilities.
• Prioritize Risk Response – Assess vendor criticality and vulnerability severity to focus efforts on the highest-impact threats.
• Enhance Vendor Communication – Engage in informed discussions with vendors about their exposure and remediation plans.
• Strengthen Cybersecurity Posture – Gain a comprehensive view of emerging threats to develop proactive risk mitigation strategies.

For vulnerabilities like CVE-2025-1094 and CVE-2023-34192, FocusTags™ help organizations cut through the noise, pinpoint affected vendors, and implement targeted security measures. In an environment where timely action is key to mitigating supply chain risks, Black Kite’s FocusTags™ provide the intelligence needed to stay ahead of evolving cyber threats.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• PostgreSQL – Feb2025: CVE-2025-1094, SQLi Vulnerability, Improper Neutralization of Quoting Syntax in PostgreSQL.
• Zimbra XSS: CVE-2023-34192, Cross-Site Scripting (XSS) Vulnerability in Zimbra Collaboration Suite (ZCS).
• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra – Feb2025: CVE-2025-25064, SQLi Vulnerability in Zimbra Collaboration.
• Cacti – Feb2025: CVE-2025-22604, Remote Code Execution Vulnerability in Cacti.
• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
• QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
• Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.
• W3 Total Cache: CVE-2024-12365, Missing Authorization Vulnerability in WordPress’ W3 Total Cache Plugin.
• Juniper Junos: CVE-2025-21598, Out-of-bounds Read Vulnerability in Juniper’s Junos.
• Rsync: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, Heap-Buffer-Overflow Vulnerability, Remote Code Execution Vulnerability, Information Leak Vulnerability, File Leak Vulnerability, Path Traversal Vulnerability, Race Condition Vulnerability, Privilege Escalation Vulnerability in Rsync.
• SimpleHelp: CVE-2024-57727, CVE-2024-57728, CVE-2024-57726, Unauthenticated Path Traversal Vulnerability, Arbitrary File Upload Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in SimpleHelp.
• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1094

https://www.postgresql.org/support/security/CVE-2025-1094

https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis

https://github.com/rapid7/metasploit-framework/pull/19877

https://nvd.nist.gov/vuln/detail/CVE-2023-34192

https://securityonline.info/cisa-flags-actively-exploited-zimbra-cve-2023-34192-and-microsoft-cve-2024-49035-vulnerabilities

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P40#Security_Fixes