{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/postgresql/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2023-5869"},{"cvss":7.5,"id":"CVE-2023-39417"},{"cvss":8.8,"id":"CVE-2024-7348"}],"_cs_exploited":false,"_cs_products":["ABB Ability Symphony Plus S+ Engineering 2.2","ABB Ability Symphony Plus S+ Engineering 2.3","ABB Ability Symphony Plus S+ Engineering 2.3 RU1","ABB Ability Symphony Plus S+ Engineering 2.3 RU2","ABB Ability Symphony Plus S+ Engineering 2.3 RU3","ABB Ability Symphony Plus S+ Engineering 2.4","ABB Ability Symphony Plus S+ Engineering 2.4 SP1","ABB Ability Symphony Plus S+ Engineering 2.4 SP2"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","ics","postgresql"],"_cs_type":"advisory","_cs_vendors":["ABB"],"content_html":"\u003cp\u003eABB Ability Symphony Plus Engineering versions 2.2 through 2.4 SP2 are susceptible to multiple vulnerabilities originating in the included PostgreSQL database. An attacker gaining access to the S+ Client Server network could exploit CVE-2023-5869 (Integer Overflow), CVE-2023-39417 (SQL Injection), and CVE-2024-7348 (TOCTOU race condition) to execute arbitrary code and potentially compromise the entire ABB system. This poses a significant risk to organizations in critical infrastructure sectors, including Chemical, Critical Manufacturing, Energy, and Water/Wastewater, as these systems are vital for operational control and safety. Successful exploitation could result in loss of control, data breaches, or disruption of essential services. ABB released S+ Engineering 2.4 SP2 RU1 in December 2024 as a fix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target network, specifically the S+ Client Server network, possibly through existing vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the PostgreSQL database server used by ABB Ability Symphony Plus Engineering.\u003c/li\u003e\n\u003cli\u003eAttacker exploits CVE-2023-5869 by providing crafted data to trigger an integer overflow, enabling arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits CVE-2023-39417 by injecting malicious SQL code through extension scripts, leading to arbitrary code execution with administrator privileges.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits CVE-2024-7348, leveraging a TOCTOU race condition to execute arbitrary SQL functions with elevated privileges using a PostgreSQL utility.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the compromised ABB Ability Symphony Plus Engineering application or the underlying PostgreSQL database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the OT network, potentially targeting other critical systems or data repositories.\u003c/li\u003e\n\u003cli\u003eAttacker achieves complete compromise of the ABB Ability Symphony Plus Engineering system, allowing manipulation of industrial processes, data exfiltration, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities in ABB Ability Symphony Plus Engineering can have severe consequences, particularly in critical infrastructure sectors. Affected sectors include chemical, critical manufacturing, energy, and water/wastewater facilities worldwide. A compromised system could allow attackers to manipulate industrial processes, leading to equipment damage, environmental incidents, or disruption of essential services like power generation or water treatment. The vulnerabilities could allow attackers to gain unauthorized access to sensitive data, intellectual property, or control systems, resulting in significant financial losses, reputational damage, and potential safety risks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ABB Ability Symphony Plus Engineering to version 2.4 SP2 RU1 (re-leased in December 2024) or later, as recommended by ABB, to address the identified vulnerabilities (Vendor fix).\u003c/li\u003e\n\u003cli\u003eReview and enforce network segmentation and firewall configurations to restrict access to the S+ client/server network, mitigating the risk of external attackers exploiting these vulnerabilities (Mitigation).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity indicative of PostgreSQL exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious PostgreSQL Utility Execution\u003c/code\u003e to identify potential exploitation of CVE-2024-7348.\u003c/li\u003e\n\u003cli\u003eEnable logging of PostgreSQL queries and analyze logs for SQL injection attempts, specifically looking for suspicious use of extension scripts. Deploy the Sigma rule \u003ccode\u003eDetect SQL Injection in PostgreSQL Logs\u003c/code\u003e to identify potential exploitation of CVE-2023-39417.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-abb-symphony-vulns/","summary":"Multiple vulnerabilities in ABB Ability Symphony Plus Engineering, stemming from underlying PostgreSQL flaws, could allow a remote attacker with network access to execute arbitrary code and compromise the system.","title":"ABB Ability Symphony Plus Engineering Vulnerabilities Allow Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-abb-symphony-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-40906"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sql-injection","electricsql","postgresql"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eElectric, a Postgres sync engine, is vulnerable to SQL injection in the \u003ccode\u003eorder_by\u003c/code\u003e parameter of the ElectricSQL \u003ccode\u003e/v1/shape\u003c/code\u003e API endpoint. This vulnerability exists in versions 1.1.12 to before 1.5.0. Exploitation allows any authenticated user to execute arbitrary SQL queries, leading to potential data breaches, data manipulation, and complete database compromise. Successful exploitation can result in unauthorized access to sensitive information, modification of critical data, and denial of service. Organizations using vulnerable versions of ElectricSQL are at high risk. The vulnerability is resolved in version 1.5.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ElectricSQL application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/v1/shape\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload within the \u003ccode\u003eorder_by\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe ElectricSQL application processes the request without proper sanitization of the \u003ccode\u003eorder_by\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL payload is executed against the underlying PostgreSQL database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection vulnerability to extract sensitive data, such as user credentials or proprietary information, using \u003ccode\u003eSELECT\u003c/code\u003e statements.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by manipulating database objects or creating new administrative accounts using \u003ccode\u003eCREATE\u003c/code\u003e and \u003ccode\u003eALTER\u003c/code\u003e statements.\u003c/li\u003e\n\u003cli\u003eThe attacker destroys data or renders the database unavailable using \u003ccode\u003eDELETE\u003c/code\u003e and \u003ccode\u003eDROP\u003c/code\u003e statements, achieving complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to a complete compromise of the underlying PostgreSQL database. This may result in unauthorized access to sensitive data, including customer information, financial records, and intellectual property. Attackers could also modify or delete data, leading to data loss, service disruption, and reputational damage. Given the potential for complete data destruction, organizations are urged to remediate this vulnerability immediately.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ElectricSQL to version 1.5.0 or later to patch the vulnerability (CVE-2026-40906).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data, especially in the \u003ccode\u003eorder_by\u003c/code\u003e parameter of the \u003ccode\u003e/v1/shape\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as unusual characters or SQL keywords in the \u003ccode\u003eorder_by\u003c/code\u003e parameter of requests to the \u003ccode\u003e/v1/shape\u003c/code\u003e API to enable the \u0026ldquo;Detect Suspicious SQL Injection Attempt in ElectricSQL API Request\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious SQL Injection Error Messages\u0026rdquo; to identify potential exploitation attempts based on error responses from the database server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-electric-sql-injection/","summary":"The ElectricSQL sync engine is vulnerable to SQL injection, potentially allowing authenticated users to read, write, and destroy the underlying PostgreSQL database.","title":"ElectricSQL /v1/shape API SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-electric-sql-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","postgresql","jdbc"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists within the PostgreSQL JDBC Driver that allows for SQL injection attacks. The specifics of the vulnerable versions are not provided, however, exploitation allows a remote, unauthenticated attacker to inject arbitrary SQL commands into the application\u0026rsquo;s database queries. This can lead to data exfiltration, modification, or even complete database compromise. The lack of specific version information makes targeted patching difficult, emphasizing the need for broad detection and prevention strategies. Successful exploitation can have severe consequences for applications relying on the vulnerable JDBC driver, impacting data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application using a vulnerable version of the PostgreSQL JDBC driver.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL injection payload designed to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the payload through a user-supplied input field, such as a form or API endpoint.\u003c/li\u003e\n\u003cli\u003eThe application, using the vulnerable JDBC driver, constructs an SQL query incorporating the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed by the PostgreSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete data, potentially causing application malfunction or data loss.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the SQL injection to execute operating system commands on the database server if the database user has sufficient privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to complete compromise of the application database. This can result in the exfiltration of sensitive data (credentials, PII, financial records), unauthorized data modification or deletion, and potential disruption of application services. The number of potential victims is vast, as many applications use the PostgreSQL JDBC driver to connect to PostgreSQL databases. The impact ranges from data breaches and financial loss to reputational damage and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement parameterized queries or prepared statements in application code to prevent SQL injection (reference secure coding practices).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect suspicious SQL queries indicative of injection attempts (Sigma rules below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns or error messages related to database interactions (webserver log source).\u003c/li\u003e\n\u003cli\u003eRegularly update the PostgreSQL JDBC driver to the latest version from a trusted source after vendor confirms fix.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T10:21:21Z","date_published":"2026-03-24T10:21:21Z","id":"/briefs/2024-06-postgresql-jdbc-injection/","summary":"An anonymous, remote attacker can exploit a vulnerability in the PostgreSQL JDBC Driver to perform SQL injection attacks.","title":"PostgreSQL JDBC Driver SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-06-postgresql-jdbc-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Postgresql","version":"https://jsonfeed.org/version/1.1"}