A vulnerability in Redis in-memory store posed a critical risk for servers hosting the database.
The vulnerability, identified as CVE-2025-49844 or RediShell, stemmed from a use-after-free memory corruption bug that has existed in the Redis code base for around 13 years and posed a remote code execution risk.
While the flaw required authentication to exploit, an estimated 60,000 internet exposed Redis instances were exposed to the internet without authentication enabled, leaving these systems open to attack. Wiz researchers discovered the flaw and used it in the Pwn2Own Berlin contest in May 2025, weeks before its public disclosure in October 2025.
LionWiki local file inclusion
Age: 11 years, 11 months
Date introduced: November 2008
Date fixed: October 2020
LionWiki is a minimalist wiki engine, programmed in PHP. Unlike many popular wiki engines, LionWiki doesn’t use a database, and instead is entirely file-based. Because its goal is simplicity, this is a strength, but it also makes a significant vulnerability possible.
In essence, the various files underlying a particular LionWiki instance are accessed by file and pathnames in the URL of the corresponding pages. This means that, with a correctly crafted URL, you could traverse the filesystem of the server hosting the LionWiki instance. There are URL-filtering provisions in place to block attempts to do this, but as Infosec Institute Cyber Range Engineer June Werner discovered, they could be defeated fairly easily.
One thing Werner noted is that the vulnerability persisted despite attempts to correct it. “Some mitigations were first put in place in July of 2009, and then more extensive mitigations were put in place in January of 2012,” she noted. “Despite these mitigations, the code was still vulnerable to the same type of attack. This vulnerability stayed in the code for another eight years until it was rediscovered, along with a way to bypass the mitigations, in October 2020.” After the bug was formally reported, it was patched by the developer.
sudo host
Age: 11 years, 10 months
Date introduced: September 2013
Date fixed: July 2024
The sudo command is an important tool in any Unix admin’s toolkit, granting superpowered user privileges to those who have the permission to invoke it. To access these privileges, a user must be listed in a configuration file called sudoers. Because many organizations centrally administer many Unix hosts, sudoers can include a list of specific hosts where each user has sudo rights, so that these config files can be written once and then be pushed out to all the organization’s hosts.
The problem is that, to get access to the sudoers file and see the hosts on which you or another user might have sudo powers, you need those sudo powers yourself. But a command-line flag intended to let users view host-specific privileges could be abused to trick sudo into treating the command as if it were running on a different host — potentially one where the user has elevated privileges. That could allow the user to run commands, including those that edit sudoers, even if they shouldn’t have that access on the local machine. This security flaw isn’t rated as too serious, but it did lurk undetected for nearly 12 years. (Another more serious flaw with the chroot option, revealed at the same time, is a mere baby at two years old.)
HashiCorp Vault and CyberArk Conjur logic flaws
Age: 10 years
Date introduced: 2015[1]
Date fixed: August 2025
Multiple flaws in components of HashiCorp Vault and CyberArk Conjur, two open-source credential management systems, left the door open to a variety of attacks, including authentication bypass and the theft or erasure of supposedly protected secrets.
Both HashiCorp Vault and CyberArk Conjur are used for storing and controlling access to secrets such as API keys, database passwords, certificates, and encryption keys. Each technology is commonly used in DevSecOps pipelines.
Researchers from Cyata discovered an array of issues, many of which had remained hidden in the codebase of widely used open-source secrets vaults for years. The vulnerabilities were discovered after manual code reviews that focused on logic flaws in components responsible for authentication and policy enforcement rather than memory corruption issues typically detected by automated tools.
Findings from the research — which led to the discovery of a combined total of 14 vulnerabilities in the two secrets vaults — were revealed at Black Hat USA in August 2025.
The most severe vulnerability in HashiCorp Vault (CVE-2025-6000) created a mechanism for attackers to delete a critical file containing the keys needed to decrypt stored secrets, leaving data unreachable.
All the vulnerabilities were addressed before the research was publicly disclosed.
Linux GRUB2 Secure Boot hole
Age: 10 years
Date introduced: 2010
Date fixed: July 2020
When UEFI was introduced to replace BIOS, it was deemed the cutting edge of security, with features to fight attacks that operated on the level of the bootloading software that starts up an OS. Key to this is an interlocked chain of signed cryptographic certificates that verifies each bootloader program as legit, a mechanism known as Secure Boot. The root certificate for UEFI is signed by Microsoft, and Linux distributions put their own bootloaders, each with its own validated certificate, further down the chain.
But GRUB2, a widely popular Linux bootloader with a UEFI-ready certificate, contains a buffer overflow vulnerability that can be exploited by malicious code inserted into in its configuration file. (While GRUB2 itself is signed, its configuration file, meant to be editable by local admins, is not.) This hole was spotted by Eclypsium, and while an attacker would need to have a degree of local control of the target machine to implement this attack, if they pulled it off successfully, they could ensure that they remain in control of that computer going forward each time it boots up, making it difficult to evict them from the system.
Telnet
Age: 10 years, 8 months
Date introduced: May 2017
Date fixed: Jan 2026
Telnet is an early internet protocol and associated tools used for remotely logging into another machine via a text-based terminal session. Although superseded by the more secure and encrypted SSH technology since the mid-1990s, Telnet is still widely used by embedded systems, network hardware, and other legacy systems.
An easily-exploited Telnet authentication bypass vulnerability (CVE-2026-24061), introduced in code changes release in May 2017, left devices running pre-patched versions of the software wide open to remote compromise, provided that its Telnet server was exposed to the internet.
[1]HashiCorp Vault was first released in 2015, with CyberArk Conjur becoming available in 2016. I’m assuming that at least some of these vulnerabilities date back to the first release of each technology.
