CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Redis Lua Use-After-Free Vulnerability Exploitable for Remote Code Execution

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

A critical vulnerability in Redis, tracked as CVE-2025-49844 and dubbed "RediShell", allows authenticated attackers to achieve remote code execution on vulnerable instances. The flaw, a 13-year-old use-after-free weakness in the Redis Lua scripting engine, affects all versions of Redis and can be exploited to gain full access to the host system. Successful exploitation can lead to data exfiltration, encryption, or lateral movement within cloud environments. The vulnerability impacts approximately 330,000 exposed Redis instances, with around 60,000 of them not requiring authentication. Patches have been released in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, and administrators are urged to update their instances immediately. Additional patches have been released for versions 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131. Temporary workarounds include setting an access control list (ACL) to restrict EVAL and EVALSHA commands. The vulnerability was discovered and reported by cloud security company Wiz on May 16, 2025. The flaw was jointly disclosed by Redis and Wiz on October 3, 2025. There is no evidence that the vulnerability was exploited in the wild. The flaw exploits a use-after-free (UAF) memory corruption bug, allowing attackers to escape the Lua sandbox and achieve arbitrary code execution. Wiz recommended implementing Redis authentication and network access controls, and urged organizations to prioritize patching Redis instances exposed to the Internet.

Timeline

  1. 06.10.2025 18:55 4 articles · 7d ago

    Critical Redis Lua Use-After-Free Vulnerability Disclosed

    The flaw affects Redis versions 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131. The flaw was jointly disclosed by Redis and Wiz on October 3, 2025. The article also mentions that Redis is used by approximately 75% of cloud environments. The article reiterates the advice to enable authentication, restrict access to trusted networks, disable Lua scripting if not required, run Redis as a non-root user, enforce firewalls and Virtual Private Clouds (VPCs), and monitor logs for suspicious behavior.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

RMPocalypse Vulnerability in AMD Secure Encrypted Virtualization

Academic researchers from ETH Zurich discovered a vulnerability in AMD processors that affects the integrity of confidential computing. The flaw, named RMPocalypse, allows a malicious hypervisor to corrupt the Reverse Map Table (RMP) during initialization, compromising the security guarantees of AMD's Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). The vulnerability, tracked as CVE-2025-0033, impacts multiple AMD EPYC and EPYC Embedded series processors. AMD has released patches to OEMs, and Microsoft is working on updates for Azure Confidential Computing's AMD-based clusters. Supermicro has also acknowledged the vulnerability and will require BIOS updates for impacted motherboard SKUs. The RMPocalypse exploit enables attackers to break confidentiality and integrity guarantees of SEV-SNP, potentially allowing for debug access, fake attestation, VMSA state replay, and code injection. The exploit can be triggered by a single 8-byte write to the RMP, resulting in a full breach of confidentiality and integrity guarantees of SEV-SNP.

Open in new tab

Active exploitation of authentication bypass in Service Finder WordPress theme

Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme, allowing them to bypass authentication and gain administrative access. The flaw, tracked as CVE-2025-5947, affects versions 6.0 and older and has been exploited since September 2025. The vulnerability is present in the Service Finder Bookings plugin bundled with the Service Finder theme. Over 13,800 exploitation attempts have been recorded since August 2025, with a surge of over 1,500 attempts daily in late September. The flaw affects over 6,100 customers using the theme. Administrators are advised to update to version 6.1 or stop using the theme to mitigate the risk.

Open in new tab

Rhadamanthys Stealer Adds Device Fingerprinting, PNG Steganography Payloads

Rhadamanthys Stealer, a popular information stealer, has been updated to include device and web browser fingerprinting capabilities. The malware now uses PNG steganography to conceal its payloads. The threat actor behind Rhadamanthys has also advertised two additional tools, Elysium Proxy Bot and Crypt Service, on their website. The stealer's current version is 0.9.2, and it is available under a malware-as-a-service (MaaS) model with tiered pricing packages. The threat actor has rebranded themselves as "RHAD security" and "Mythical Origin Labs," indicating a long-term business venture. The stealer's capabilities have evolved significantly, posing a comprehensive threat to personal and corporate security. The latest updates include enhanced obfuscation techniques, environment checks, and a Lua runner for additional plugins.

Open in new tab

GeoServer RCE Exploit Used in Federal Agency Breach

A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.

Open in new tab

Critical Deserialization RCE Vulnerability in SolarWinds Web Help Desk

SolarWinds has released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files.

Open in new tab