CVE-2025-49844
published 2025-10-03CVE-2025-49844: Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script…
PriorityP196critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
86.77%
99.7th percentile
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | redict | < redict 7.3.6+ds-1 (forky) | redict 7.3.6+ds-1 (forky) |
| debian | redis | < redict 7.3.6+ds-1 (forky) | redict 7.3.6+ds-1 (forky) |
| debian | valkey | < redict 7.3.6+ds-1 (forky) | redict 7.3.6+ds-1 (forky) |
| lfprojects | valkey | < 7.2.11 | 7.2.11 |
| lfprojects | valkey | >= 0 < 8.1.1+dfsg1-3+deb13u1 | 8.1.1+dfsg1-3+deb13u1 |
| lfprojects | valkey | >= 0 < 8.1.4+dfsg1-1 | 8.1.4+dfsg1-1 |
| lfprojects | valkey | >= 0 < 7.2.11+dfsg1-0ubuntu0.2 | 7.2.11+dfsg1-0ubuntu0.2 |
| lfprojects | valkey | >= 0 < 8.1.4+dfsg1-0ubuntu0.2 | 8.1.4+dfsg1-0ubuntu0.2 |
| lfprojects | valkey | >= 8.0.0 < 8.0.6 | 8.0.6 |
| lfprojects | valkey | >= 8.1.0 < 8.1.4 | 8.1.4 |
| msrc | azl3_ceph_18.2.2-10_on_azure_linux_3.0 | — | — |
| msrc | azl3_valkey_8.0.4-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_ceph_16.2.10-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_redis_6.2.18-3_on_cbl_mariner_2.0 | — | — |
| paloalto | pan-os | — | — |
| redis | redis | < 8.2.2 | 8.2.2 |
| redis | redis | < 6.2.20 | 6.2.20 |
| redis | redis | >= 0 < 5:6.0.16-1+deb11u8 | 5:6.0.16-1+deb11u8 |
| redis | redis | >= 0 < 5:7.0.15-1~deb12u6 | 5:7.0.15-1~deb12u6 |
| redis | redis | >= 0 < 5:8.0.2-3+deb13u1 | 5:8.0.2-3+deb13u1 |
| redis | redis | >= 0 < 5:8.0.4-1 | 5:8.0.4-1 |
| redis | redis | >= 7.0 < 7.2.11 | 7.2.11 |
| redis | redis | >= 7.4.0 < 7.4.6 | 7.4.6 |
| redis | redis | >= 8.0.0 < 8.0.4 | 8.0.4 |
| redis | redis | >= 8.2.0 < 8.2.2 | 8.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for EVAL/EVALSHA commands sent to Redis instances, especially from unauthenticated or unexpected sources — the exploit requires sending a specially crafted Lua script via these commands. ↗
- →Check Point IPS signature 'Redis Use After Free (CVE-2025-49844)' is available for network-level detection of exploit attempts. ↗
- →Flag Redis instances exposed to the internet with no authentication configured as highest-priority targets; approximately 60,000 such instances exist and are trivially exploitable without any credential requirement. ↗
- →Monitor for reverse shell establishment originating from the Redis server process following EVAL/EVALSHA command execution, as successful exploitation establishes a reverse shell for persistent access. ↗
- →Post-exploitation, watch for access to .ssh keys, IAM tokens, and certificates from the Redis process, as well as installation of cryptominers or malware on the Redis host. ↗
- →Alert on Redis instances running as root; exploitation of CVE-2025-49844 on a root-running Redis process grants full host compromise immediately. ↗
- →The vulnerability is already being abused by botnets and ransomware actors; correlate Redis exploitation indicators with known botnet C2 traffic patterns. ↗
- ·Lua scripting is enabled by default in Redis, meaning all default deployments are vulnerable without additional hardening. Disabling EVAL/EVALSHA via ACLs is a viable workaround if patching is not immediately possible. ↗
- ·The official Redis container image does not require authentication by default, meaning 57% of cloud environments deploying Redis as a container image may be unauthenticated and directly exploitable by any network-reachable attacker. ↗
- ·The vulnerability affects all Redis versions (including forks such as Valkey and managed services like Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis) due to its root cause in the underlying Lua interpreter. ↗
- ·Exploitation requires authenticated access to Redis, but the large number of unauthenticated internet-exposed instances (~60,000) effectively removes this barrier for a significant portion of the attack surface. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
vulncheck9.9CRITICAL
vendor_debian9.9CRITICAL
vendor_msrc9.9CRITICAL
vendor_oracle9.9CRITICAL
vendor_redhat9.9CRITICAL
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Lua vulnerability
vendor_ubuntu·2026-05-08
CVE-2025-49844 Lua vulnerability
Title: Lua vulnerability
Summary: Lua could be made to crash or run programs as your login if it
opened a specially crafted file.
It was discovered that the Lua parser incorrectly handled garbage collection
when processing specially crafted Lua scripts. A remote attacker could possibly
use this issue to cause a denial of service or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Redis, Lua vulnerabilities
vendor_ubuntu·2026-04-13·CVSS 8.8
CVE-2025-49844 [HIGH] Redis, Lua vulnerabilities
Title: Redis, Lua vulnerabilities
Summary: Several security issues were fixed in Redis, lua5.1, lua-cjson, lua-bitop.
It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue was only addressed in
lua5.1 on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2025-49844)
It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue was only addressed in
lua-bitop on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS and in redis on Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-31449)
Seiya Nakata and Yud
Palo Alto
PAN-SA-2026-0005 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2026-04-08·CVSS 7.5
CVE-2022-32149 [HIGH] PAN-SA-2026-0005 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2026-0005 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2022-32149 This CVE is fixed in Openconfig plugin PAN-OS 11.0.6, 11.1.8, 11.2.3-h2, 11.2.4 and all later versions of Openconfig plugin PAN-OS CVE-2024-33599 This CVE is fixed in PAN-OS versions 10.1.15, 10.2.15, 11.1.11, 11.2.7, and all later versions. CVE-2024-33600 This CVE is fixed in PAN-OS versions 10.1.15, 10.2.15, 11.1.11, 11.2.7, and all later versions. CVE-2024-33601 This CVE is fixed in PAN-OS versions 10.1.15, 10.2.15, 11.1.1
CISA ICS
Schneider Electric Plant iT/Brewmaxx
cisa_ics·2026-03-24·CVSS 7.0
[HIGH] Schneider Electric Plant iT/Brewmaxx
ICS Advisory
##
Schneider Electric Plant iT/Brewmaxx
Release DateMarch 24, 2026
Alert CodeICSA-26-083-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could risk privilege escalation, which could result in remote code execution.
The following versions of Schneider Electric Plant iT/Brewmaxx are affected:
- Plant iT/Brewmaxx 9.60_and_above (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.9
| Schneider Electric
| Schneider Electric Plant iT/Brewmaxx
| Use After Free, Integer Overflow or Wraparound, Improper Control of Generation of Code ('Code Injection')
## Background
- Critical Infrast
Oracle
Oracle Oracle Communications Risk Matrix: Infrastructure (valkey) — CVE-2025-49844
vendor_oracle·2026-01-15·CVSS 9.9
CVE-2025-49844 [CRITICAL] Oracle Oracle Communications Risk Matrix: Infrastructure (valkey) — CVE-2025-49844
Oracle Oracle Communications Risk Matrix: Infrastructure (valkey) vulnerability
CVE: CVE-2025-49844
CVSS: 9.9
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Ubuntu
Valkey vulnerabilities
vendor_ubuntu·2025-11-26·CVSS 7.0
CVE-2025-46818 [HIGH] Valkey vulnerabilities
Title: Valkey vulnerabilities
Summary: Several security issues were fixed in Valkey.
Benny Isaacs, Nir Brakha, and Sagi Tzadik discovered that Valkey incorrectly
handled memory when running Lua scripts. An authenticated attacker could
use this vulnerability to trigger a use-after-free condition, and
potentially achieve remote code execution on the Valkey server.
(CVE-2025-49844)
It was discovered that Valkey incorrectly handled memory when running Lua
scripts. An authenticated attacker could use this vulnerability to trigger
a integer overflow condition, and potentially achieve remote code execution
on the Valkey server. (CVE-2025-46817)
It was discovered that Valkey incorrectly handled Lua objects. An
authenticated attacker could possibly use this issue to escalate their
privileges. (
Ubuntu
Redis vulnerability
vendor_ubuntu·2025-10-16
CVE-2025-49844 Redis vulnerability
Title: Redis vulnerability
Summary: Redis could be made to crash or run programs if it received
specially crafted network traffic from an authenticated user.
USN-7824-1 fixed several vulnerabilities in Redis. This update provides
the corresponding update for Ubuntu 22.04 LTS.
Original advisory details:
Benny Isaacs, Nir Brakha, and Sagi Tzadik discovered that Redis incorrectly
handled memory when running Lua scripts. An authenticated attacker could use
this vulnerability to trigger a use-after-free condition, and potentially
achieve remote code execution on the Redis server.
Instructions: After a standard system update you need to restart Redis to make
all the necessary changes.
Ubuntu
Redict vulnerability
vendor_ubuntu·2025-10-16
CVE-2025-49844 Redict vulnerability
Title: Redict vulnerability
Summary: Redict could be made to crash or run programs if it received
specially crafted network traffic from an authenticated user.
USN-7824-1 fixed several vulnerabilities in Redis. This update provides
the corresponding update for Redict - a fork of Redis.
Original advisory details:
Benny Isaacs, Nir Brakha, and Sagi Tzadik discovered that Redis incorrectly
handled memory when running Lua scripts. An authenticated attacker could use
this vulnerability to trigger a use-after-free condition, and potentially
achieve remote code execution on the Redis server.
Instructions: After a standard system update you need to restart Redict to make
all the necessary changes.
Ubuntu
Redis vulnerability
vendor_ubuntu·2025-10-15
CVE-2025-49844 Redis vulnerability
Title: Redis vulnerability
Summary: Redis could be made to crash or run programs if it received specially
crafted network traffic from an authenticated user.
Benny Isaacs, Nir Brakha, and Sagi Tzadik discovered that Redis incorrectly
handled memory when running Lua scripts. An authenticated attacker could
use this vulnerability to trigger a use-after-free condition, and
potentially achieve remote code execution on the Redis server.
Instructions: After a standard system update you need to restart Redis to make all the
necessary changes.
Microsoft
Redis Lua Use-After-Free may lead to remote code execution
vendor_msrc·2025-10-14·CVSS 9.9
CVE-2025-49844 [CRITICAL] CWE-416 Redis Lua Use-After-Free may lead to remote code execution
Redis Lua Use-After-Free may lead to remote code execution
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: http
Red Hat
Redis: Redis Lua Use-After-Free may lead to remote code execution
vendor_redhat·2025-10-03·CVSS 9.9
CVE-2025-49844 [CRITICAL] CWE-416 Redis: Redis Lua Use-After-Free may lead to remote code execution
Redis: Redis Lua Use-After-Free may lead to remote code execution
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
A vulnerability found in Redis where a flaw in the Lua scripting engine can trigger a use-after-free condition. An authenticated attacker can exploit this by running a specially c
Debian
CVE-2025-49844: redict - Redis is an open source, in-memory database that persists on disk. Versions 8.2....
vendor_debian·2025·CVSS 9.9
CVE-2025-49844 [CRITICAL] CVE-2025-49844: redict - Redis is an open source, in-memory database that persists on disk. Versions 8.2....
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Scope: local
forky: resolved (fixed in 7.3.6+ds-1)
sid: resolved (fixed in 7.3.6+ds-1)
OSV
valkey vulnerabilities
osv·2025-11-26·CVSS 8.8
CVE-2025-49844 [HIGH] valkey vulnerabilities
valkey vulnerabilities
Benny Isaacs, Nir Brakha, and Sagi Tzadik discovered that Valkey incorrectly
handled memory when running Lua scripts. An authenticated attacker could
use this vulnerability to trigger a use-after-free condition, and
potentially achieve remote code execution on the Valkey server.
(CVE-2025-49844)
It was discovered that Valkey incorrectly handled memory when running Lua
scripts. An authenticated attacker could use this vulnerability to trigger
a integer overflow condition, and potentially achieve remote code execution
on the Valkey server. (CVE-2025-46817)
It was discovered that Valkey incorrectly handled Lua objects. An
authenticated attacker could possibly use this issue to escalate their
privileges. (CVE-2025-46818)
It was discovered that Valkey incorrectly hand
OSV
CVE-2025-49844: Redis is an open source, in-memory database that persists on disk
osv·2025-10-03·CVSS 9.9
CVE-2025-49844 [CRITICAL] CVE-2025-49844: Redis is an open source, in-memory database that persists on disk
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
VulnCheck
redis redis Use After Free
vulncheck·2025·CVSS 9.9
CVE-2025-49844 [CRITICAL] redis redis Use After Free
redis redis Use After Free
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Affected: redis redis
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Nuclei
Redis Lua Parser < 8.2.2 - Use After Free
nuclei·CVSS 9.9
CVE-2025-49844 [CRITICAL] Redis Lua Parser < 8.2.2 - Use After Free
Redis Lua Parser < 8.2.2 - Use After Free
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Template:
id: CVE-2025-49844
info:
name: Redis Lua Parser < 8.2.2 - Use After Free
author: pussycat0x
severity: critical
description: |
Redis is an open source, in-memory database that persists on disk
Bugzilla
CVE-2025-49844 Redis: Redis Lua Use-After-Free may lead to remote code execution
bugzilla·2025-10-03·CVSS 9.9
CVE-2025-49844 [CRITICAL] CVE-2025-49844 Redis: Redis Lua Use-After-Free may lead to remote code execution
CVE-2025-49844 Redis: Redis Lua Use-After-Free may lead to remote code execution
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9.4 Extended Update Support
Via RHSA-2025:18931 https://access.redh
Securelist
What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant
blogs_securelist·2026-05-29
CVE-2025-55182 What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant
Yaroslav Shmelev
Anton Kivva
Denis Parinov
Vladimir Kuskov
Yanina Balandyuk-Opalinskaya
Table of Contents
Introduction
Software vulnerabilities and compromise of update sources
Configuration vulnerabilities
Insecure handling of credentials
Use of default passwords
Passing passwords via command arguments
Privilege escalation in the container
Attacks on sudo
Insecure file permissions
Lack of integrity checks
Conclusion
Authors
Yaroslav Shmelev
Anton Kivva
Denis Parinov
Vladimir Kuskov
Yanina Balandyuk-Opalinskaya
## Introduction
Containerization using Docker has become firmly established in modern development standards, significantly increasing the speed and convenience of deploying various services. Developers often use ready-made Docker images, making only minimal c
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Wiz
Top Wiz Research Blogs: 2025 | Wiz Blog
blogs_wiz·2026-01-30
Top Wiz Research Blogs: 2025 | Wiz Blog
In 2025, the lines between cloud, AI, and software supply chains continued to blur. Wiz Research spent the year tracking how attackers adapted to this shift with the most impactful findings surfacing in three key areas:
Supply chain attacks: The cloud supply chain emerged as the new frontline, accounting for more than half of our most-read investigations in 2025. Malware campaigns evolved to spread silently across CI/CD systems, package registries, and build pipelines – often relying on the wide adoption of npm and GitHub. In 2026, we may see these campaigns extend into IDE extensions and AI artifacts like models, MCP servers, and skills.
AI exposure: Our most-read research post of 2025 was the investigation into an exposed DeepSeek database, kicking off a year shaped by the rapid rollou
Wiz
Top Wiz Research Blogs: 2025 | Wiz Blog
blogs_wiz·2026-01-30
Top Wiz Research Blogs: 2025 | Wiz Blog
In 2025, the lines between cloud, AI, and software supply chains continued to blur. Wiz Research spent the year tracking how attackers adapted to this shift with the most impactful findings surfacing in three key areas:
Supply chain attacks: The cloud supply chain emerged as the new frontline, accounting for more than half of our most-read investigations in 2025. Malware campaigns evolved to spread silently across CI/CD systems, package registries, and build pipelines – often relying on the wide adoption of npm and GitHub. In 2026, we may see these campaigns extend into IDE extensions and AI artifacts like models, MCP servers, and skills.
AI exposure: Our most-read research post of 2025 was the investigation into an exposed DeepSeek database, kicking off a year shaped by the rapid rollou
Wiz
Crying Out Cloud Monthly Newsletter - November | Wiz
blogs_wiz·2025-11-19·CVSS 9.9
CVE-2025-49844 [CRITICAL] Crying Out Cloud Monthly Newsletter - November | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
🔍 Highlights
RediShell: Critical RCE Vulnerability in Redis
Wiz Research discovered a critical RCE vulnerability (CVE-2025-49844) affecting Enterprise and Community versions of Redis, Valkey and managed Cloud services (ElastiCache, MemoryStore, Azure Cache). The flaw allows an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. Since some distributions of Redis are configured without authentication by default, or use default or weak passwords for authentication, customers are advised to prioritize patching Internet-facin
Bleepingcomputer
Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
blogs_bleepingcomputer·2025-10-14·CVSS 7.8
[HIGH] Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
## Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws
## Lawrence Abrams
80 Elevation of Privilege Vulnerabilities
11 Security Feature Bypass Vulnerabilities
31 Remote Code Execution Vulnerabilities
28 Information Disclosure Vulnerabilities
11 Denial of Service Vulnerabilities
10 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released today by Microsoft. Therefore, the number of flaws does not include those fixed in Azure, Mariner, Microsoft Edge, and other vulnerabilities earlier this month.
Notably, Windows 10 reaches the end of support today , with this being the last Patch Tuesday where Microsoft provides free security updates to the venerable operating system.
To continue receiving security upd
Checkpoint
13th October – Threat Intelligence Report
blogs_checkpoint·2025-10-13
CVE-2023-1389 13th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th October, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Qilin ransomware group has claimed responsibility for targeting Asahi, Japan’s largest brewing company, that had been hacked on September 29 th . The attack resulted in the exfiltration of over 9,300 files totaling 27GB of sensitive data, including financial documents, employee IDs, contracts, and internal reports. The at
Bleepingcomputer
Redis warns of critical flaw impacting thousands of instances
blogs_bleepingcomputer·2025-10-06·CVSS 9.9
[CRITICAL] Redis warns of critical flaw impacting thousands of instances
## Redis warns of critical flaw impacting thousands of instances
## Sergiu Gatlan
The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances.
Redis (short for Remote Dictionary Server) is an open-source data structure store used in approximately 75% of cloud environments, functioning like a database, cache, and message broker, and storing data in RAM for ultra-fast access.
The security flaw (tracked as CVE-2025-49844) is caused by a 13-year-old use-after-free weakness found in the Redis source code and can be exploited by authenticated threat actors using a specially crafted Lua script (a feature enabled by default).
Successful exploitation enables them to escape the Lu
Wiz
Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844 | Wiz Blog
blogs_wiz·2025-10-06·CVSS 9.9
CVE-2025-49844 [CRITICAL] Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844 | Wiz Blog
# What is RediShell?
Wiz Research has uncovered a critical Remote Code Execution (RCE) vulnerability, CVE-2025-49844 which we've dubbed #RediShell, in the widely used Redis in-memory data structure store. The vulnerability has been assigned a CVSS score of 10.0 - the highest possible severity (note that we have seen this listed as a 9.9 in some places, depending on the source).
The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host. This grants an attacker full access to the host syst
Wiz
Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844 | Wiz Blog
blogs_wiz·2025-10-06·CVSS 9.9
CVE-2025-49844 [CRITICAL] Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844 | Wiz Blog
## What is RediShell?
Wiz Research has uncovered a critical Remote Code Execution (RCE) vulnerability, CVE-2025-49844 which we've dubbed #RediShell , in the widely used Redis in-memory data structure store. The vulnerability has been assigned a CVSS score of 10.0 - the highest possible severity (note that we have seen this listed as a 9.9 in some places, depending on the source).
The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host. This grants an attacker full access to the host sy
Wiz
Posts by Nir Brakha | Wiz
blogs_wiz·2025-10-06·CVSS 9.9
CVE-2025-49844 [CRITICAL] Posts by Nir Brakha | Wiz
## RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score
Wiz Research discovers vulnerability stemming from 13-year-old bug present in all Redis versions, used in 75% of cloud environments.
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2026-27623 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-27623 [CRITICAL] CVE-2026-27623 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27623 :
Valkey vulnerability analysis and mitigation
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.
Source : NVD
## 7.5
Score
Published February 23, 2026
Severity HIGH
CNA Score 7.5
Affected
Wiz
CVE-2026-21863 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-21863 [HIGH] CVE-2026-21863 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21863 :
Redis vulnerability analysis and mitigation
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
Source : NVD
## 7.5
Score
Published February 23, 2026
Severity HIGH
CNA Score 7.5
Wiz
CVE-2025-67733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-67733 [HIGH] CVE-2025-67733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67733 :
Redis vulnerability analysis and mitigation
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
Source : NVD
## 7.1
Score
Published February 23, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Redis
Rocky Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploita
https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539https://github.com/redis/redis/releases/tag/8.2.2https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9qhttp://www.openwall.com/lists/oss-security/2025/10/07/2https://github.com/lastvocher/redis-CVE-2025-49844
2025-10-03
Published
Exploited in the wild