Redis RCE Vulnerability: Critical Flaw Discovered

A critical remote code execution vulnerability has been discovered in all versions of Redis Server that support Lua scripting. Tracked as CVE-2025-49844, the flaw is a use-after-free issue within the Lua scripting engine's garbage collection mechanism. Authenticated attackers can exploit this vulnerability by crafting a malicious Lua script to achieve arbitrary code execution with the privileges of the Redis server. The vulnerability has been assigned a CVSS score of 10.0, reflecting its critical severity and low attack complexity. While patches are still being developed, administrators are advised to mitigate the risk by using Access Control Lists to disable Lua script execution commands.

Latest mentioned: 10-06

Earliest mentioned: 10-04

Sources

github.com gbhackers.com cybersum.net

Also Read

Cyber Espionage Campaign Targets Diplomats with PlugX Malware

A threat actor known as UNC6384 has been targeting European diplomatic entities in a cyber-espionage campaign since September. The group exploits a high-severity Windows vulnerability and uses refined social engineering tactics to deliver PlugX malware. The campaign, which initially targeted entities in specific regions, is expanding across the broader diplomatic community. The attack chain involves spear-phishing emails leading to malicious LNK files that exploit the vulnerability and execute obfuscated PowerShell commands. Researchers recommend organizations review and block command-and-control infrastructures and conduct security awareness training to mitigate such attacks.

11-01Read more →