In this week’s episode of IT SPARC Cast - CVE of the Week, John Barger and Lou Schmidt dive deep into CVE-2025-49844, a newly discovered and critical remote code execution vulnerability in Redis—the in-memory database that powers over 75% of cloud services. This flaw, dubbed “RediShell”, scores a perfect 10.0 CVSS and affects Redis instances using Lua scripting, allowing attackers to execute arbitrary code and gain full system control.

This 13-year-old bug stems from a use-after-free memory corruption issue that lets attackers escape the Lua sandbox, run malicious code, exfiltrate data, deploy crypto miners, or move laterally inside cloud environments. Even worse—more than 60,000 internet-exposed Redis servers have no authentication, leaving them completely open to exploitation.

John and Lou discuss how this happened, what you can do to secure your infrastructure, and why “cloud-hosted” doesn’t always mean “secure.”

✅ Key Takeaways:

•Update to patched versions immediately (8.2.2, 8.0.4, 7.4.6, 7.2.11, 6.2.20)

•Restrict network access with ACLs

•Rotate all credentials and API keys

•Don’t run Redis as root

•Isolate any compromised hosts before investigation

Lou calls it “a 10 on the oh-crap-ometer”—and he’s not wrong.

https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html

https://www.darkreading.com/cloud-security/patch-now-redishell-redis-rce

Hosted on Acast. See acast.com/privacy for more information.