A vulnerability in the Redis memory store posed a major risk to the servers hosting the database.
The vulnerability, identified as CVE-2025-49844 or RediShell, is caused by a post-free login corruption bug that has existed in the Redis code base for about 13 years and poses a remote code execution vulnerability.
While the flaw required authentication to be used, the estimated 60,000 Internet instances that exposed Redis were exposed to the Internet without authentication allowed, leaving these systems open to attack. Wiz researchers discovered the bug and used it in the Pwn2Own Berlin competition in May 2025, weeks before its public disclosure in October 2025.
LionWiki location file installation
Age: 11 years, 11 months
Date presented: November 2008
Due date: October 2020
LionWiki is a small wiki engine, programmed in PHP. Unlike many popular wiki engines, LionWiki does not use a database, and instead is completely file-based. Because its goal is simplicity, this is a strength, but it also makes great vulnerability possible.
Basically, the various files under a particular instance of LionWiki are accessed through the file and path names in the URL of the corresponding pages. This means that, with a well-crafted URL, you can bypass the file system of the server hosting the LionWiki instance. There are URL filtering arrangements in place to prevent attempts to do this, but as Infosec Institute Cyber Range engineer June Werner found out, they can be easily defeated.
One thing Werner has noticed is that the risk has persisted despite efforts to correct it. “Some cuts were made in July of 2009, and then a wider cut was made in January of 2012,” he said. “Despite these mitigations, the code was still vulnerable to similar attacks. This vulnerability remained in the code for another eight years until it was rediscovered, along with a workaround, in October 2020.” After the bug was officially reported, it was patched by a developer.
sudo host
Age: 11 years, 10 months
Date presented: September 2013
Due date: July 2024
The sudo command is an essential tool in any Unix administrator’s toolkit, granting powerful user privileges to those with permission to invoke it. To access these privileges, a user must be listed in a configuration file called sudoers. Because many organizations run multiple Unix hosts, sudoers can list specific hosts where each user has sudo privileges, so that these configuration files are written once and pushed to all hosts in the organization.
The problem is, in order to gain access to the sudoers file and see administrators where you or another user might have sudo powers, you need those sudo powers yourself. But a command-line flag intended to allow users to view host-specific privileges can be misused to trick sudo into treating the command as if it were running on a different host – possibly when the user has elevated privileges. That would allow the user to run commands, including those that edit sudoers, even if they shouldn’t have that access on the local machine. This security flaw is not rated as serious, but it has remained unknown for almost 12 years. (Another serious flaw with the chroot option, revealed at the same time, is a mere two-year-old child.)
HashiCorp Vault and CyberArk Conjur logic errors
Age: 10 years
Date presented: 2015[1]
Due date: August 2025
Multiple flaws in parts of HashiCorp Vault and CyberArk Conjur, two open source authentication management systems, left the door open to various attacks, including pass-through authentication and theft or deletion of supposedly protected secrets.
Both HashiCorp Vault and CyberArk Conjur are used to store and control access to secrets such as API keys, database passwords, certificates, and encryption keys. Each technology is often used in DevSecOps pipelines.
Researchers from Cyata discovered many problems, many of which had remained hidden in the codebase of the widely used secret codebase for years. The vulnerability was discovered after a manual code review that focused on conceptual flaws in components responsible for authentication and policy enforcement rather than memory corruption issues typically detected by automated tools.
The findings of the study – which led to the discovery of a combined total of 14 vulnerabilities in two secret locations – were revealed at Black Hat USA in August 2025.
The most severe vulnerability in HashiCorp Vault (CVE-2025-6000) created a way for attackers to delete a key file containing keys needed to monitor stored secrets, leaving data inaccessible.
All weaknesses are addressed before the research is made public.
Linux GRUB2 Secure Boot hole
Age: 10 years
Date presented: 2010
Due date: July 2020
When UEFI was introduced to replace the BIOS, it was considered a security edge, with anti-attack features that work at the level of the boot software that starts the OS. The key to this is a linked chain of signed cryptographic certificates that validate each bootloader program as legitimate, a technique known as Secure Boot. The UEFI root certificate is signed by Microsoft, and Linux distributions place their bootloaders, each with their own certified certificate, further down the chain.
But GRUB2, the most popular Linux bootloader with UEFI-ready certification, contains a buffer overflow vulnerability that could be exploited by malicious code embedded in its configuration file. (While GRUB2 itself is signed, its configuration file, which is intended to be edited by local administrators, is not.) This hole was spotted by Eclypsium, and while an attacker would have to have some level of local control of the target machine to launch this attack, if they pull it off successfully, they can ensure that they remain in control of that computer going forward, making it difficult for the system to boot.
Telnet
Age: 10 years, 8 months
Date presented: May 2017
Due date: January 2026
Telnet is an early Internet protocol and related tools used to remotely log into another machine through a text-based terminal session. Although superseded by the more secure and encrypted SSH technology since the mid-1990s, Telnet is still widely used by embedded systems, network hardware, and other legacy systems.
An easy-to-exploit Telnet authentication bypass vulnerability (CVE-2026-24061), introduced in a code change release in May 2017, left devices running previously patched versions of the software more open to remote compromise, as long as their Telnet server was exposed to the Internet.
[1]HashiCorp Vault was first released in 2015, and CyberArk Conjur became available in 2016. I think at least some of these risks stem from the initial release of each technology.
