Security Now 1047: RediShell's CVSS 10.0

Date: October 15, 2025
Host: Leo Laporte
Guest: Steve Gibson

Episode Overview

This episode dives deep into the latest high-impact vulnerability in Redis servers, the controversial EU Chat Control vote, major breaches at Discord and Salesforce, significant tech policy changes in the US, and a host of other developments in the security landscape. Steve Gibson and Leo Laporte, in their signature informative and entertaining style, unpack complex news, technical flaws, and legislative moves, with a special focus on urgent security issues and their wider impact.

Table of Contents

1. Opening & Episode Focus

2. Security News Roundup

   • EU Chat Control Vote Defeated
   • Salesforce Ransomware Attack & Data Leak
   • Discord's Massive Data Breach
   • GitHub's Migration to Azure
   • California & Texas Legal Updates on Privacy and Child Safety
   • OpenAI's AI Abuse Response
   • IE Mode Exploits & Microsoft Edge Response
   • BreachForums HN Domain Seizure
   • Global Botnet Attacks RDP Endpoints

3. Deep Dive: Texas' New App Store Law (SB 2420)

4. REDISHELL: Critical Redis Vulnerability (CVSS 10)

5. User Interface Rant & Noteworthy Moments

6. Notable Quotes

7. Key Timestamps

Opening & Episode Focus

• Main story: A newly discovered, critical remote code execution vulnerability in Redis, impacting 330,000 publicly exposed servers and earning a rare, perfect CVSS 10.0 score.
• Plus: Updates on major breaches (Discord, Salesforce), the defeat of EU’s “Chat Control” surveillance law, and aggressive new platform regulations coming out of Texas.
• Steve and Leo also touch on user interface trends and offer practical, sometimes humorous, security advice.

Security News Roundup

EU Chat Control Vote Defeated ([10:56])

• The EU’s proposed “Chat Control” legislation, which would have mandated client-side scanning and weakened encryption, was set for a vote but withdrawn due to lack of support.

• Opposition was led by Germany and the Netherlands; strong statements from privacy advocates and EU tech companies.

  • Quote (Germany’s Justice Minister Dr. Stephanie Hubig):
    "Chat control is a taboo for the rule of law... the fight against child pornography does not justify removing everyone's right to privacy." ([12:42])

• Open letter from 40+ major EU tech companies warned it would harm digital sovereignty and drive users to US/Chinese products.

Salesforce Ransomware Attack & Data Leak ([27:28], [75:23])

• “Scattered Lapsus Hunters” extortion group claimed ~1 billion records taken from 39 Salesforce customers.
• Salesforce refused to pay the ransom (“We will not engage, negotiate with, or pay any extortion demand.”)
• Data from affected companies, including Qantas Airlines and Vietnam Airlines, already leaked online.
• Discussion on the broader dilemma: paying ransoms funds cybercrime and sets dangerous precedents.

Discord's Massive Data Breach ([35:10], [39:42])

• Attackers claim to have accessed 1.6TB of data via Zendesk support system, affecting 5.5 million users, including 70,000+ government ID photos.
• Attack originated from compromise at a business process outsourcing provider.
• Leo and Steve criticize Discord’s retention of sensitive user data post-verification.
  • Quote (Leo Laporte, [49:40]):
    “That’s just lazy. That’s just lazy.”

GitHub’s Migration to Azure ([49:49])

• Microsoft is moving GitHub's infrastructure fully to Azure within 24 months, prioritizing the migration over new features.
• Outages and scaling issues anticipated; migration is high-risk due to legacy dependencies.
• Steve’s warning: Unexpected consequences and more outages likely; security risks cannot be ignored.

California & Texas Legal Updates on Privacy and Child Safety ([56:50], [75:23])

California: Browser-based Privacy Controls

• Governor Newsom signed laws requiring web browsers to include a universal opt-out button for data use sales (takes effect Jan 2027).
• Push for more robust enforcement compared to previous do-not-track initiatives.
• GPC (Global Privacy Control) progressing, but not fully supported in all browsers.

Texas: SB 2420 (“App Store Accountability Act”) ([75:23])

• Taking effect Jan 1, 2026. Requires platforms (Apple, Google, etc.) to verifiably age-check all users, strictly enforce content ratings, and obtain explicit parental consent for every purchase or download by minors under 18.
• Apps must provide detailed age/content disclosures.
• Law construed as extremely burdensome by Apple; Tim Cook unsuccessfully lobbied against it.
• Anticipated to become a national template as other states follow suit.

OpenAI’s Response to Government-Backed AI Abuse ([67:01])

• OpenAI is taking action against state actor misuse (e.g., PRC espionage campaigns leveraging ChatGPT for phishing).
• Steve is skeptical that this blocks AI-powered phishing long-term; can always self-host LLMs or use other platforms.

IE Mode Exploits & Microsoft Edge Response ([70:07])

• Attackers exploit IE legacy mode in Edge to execute code via unpatched vulnerabilities.
• Microsoft now makes IE mode much harder to use (must be enabled in settings, with manual allowlists and browser restart).

BreachForums HN Domain Seizure ([112:18])

• BreachForums .hn domain (used by Scattered Lapsus Hunters) seized by US/European law enforcement.

Global Botnet Attacks RDP Endpoints ([113:45])

• 100,000+ botnet hosts, across 100+ countries, launching attacks against US RDP services.
• Classic advice: “Don’t do it.” Never expose RDP directly to the public internet.

Deep Dive: Texas' New App Store Law (SB 2420) ([75:23])

• Requires strict, “commercially reasonable” age verification for all new app store accounts in Texas—self-declaration is specifically ruled out.
• Every app download or in-app purchase by a minor (<18) requires specific, per-transaction parental authorization; blanket permissions are banned.
• Applies to all apps, including innocuous ones (e.g., weather, sports).
• Developers must assign age ratings aligning with statutory categories and fully document content elements.
• Apple’s initial response is to provide age declaration APIs, but SB 2420 requires actual, verifiable age checks (e.g., government-issued ID, credit verification).
• Not retroactive: applies only to new accounts created after Jan 1, 2026.
  • Quote (Steve Gibson, [101:24]):
    “Imagine being a 17-year-old high school senior in Texas and needing to obtain your mother’s permission to add an app, any app, regardless of its age rating, to your iPhone.”
• No known legal challenges as of episode date (past Texas content laws withstood Supreme Court review).

REDISHELL: Critical Redis Vulnerability (CVSS 10) ([132:31])

• CVE-2025-49844 (“RedisShell”): Remote Code Execution via 13-year-old use-after-free in Redis’ Lua scripting engine.
• Allows attackers, including those with any authentication (or none on many servers), to execute native code on Redis hosts.
• 330,000 servers exposed online; 60,000 with no authentication at all.
• Exploitable even inside internal/cloud networks—once an attacker lands, easy lateral movement.
• Redis has issued a patch; the community is urged to update immediately—though “many will not.”
• Bad actors will likely develop and release proof-of-concept exploits rapidly, increasing risk.
  • Quote (Steve Gibson, [135:53]):
    “It has been a magnet for exploitation... The last thing I would ever think of doing would be binding the Redis service to any network interface that’s connected to the public Internet.”
• Exposure is not just about public risk: intranet instances equally at risk if attacker pivots internally.

User Interface Rant & Noteworthy Moments ([122:18], [126:55])

• Steve and Leo rail against Apple’s new iOS 26 “liquid glass” user interface, echoing severe criticism from the Nielsen Norman Group.
• Quote (citing NNg):
  “Transparency equals hard to see…animated buttons grab attention instantly. But delight turns to distraction on the tenth, twelfth, or hundredth time.” ([126:55])
• Consensus: new UI “looks cool” at first but “obscures content and is harder to use.”
• Steve: “It really, I mean, it's like a game. There are games you can play on your phone, but you don't want your phone to be the game.” ([128:15])

Notable Quotes

• On Chat Control Legislation:
  “A blessing for US and Chinese companies, since EU users will migrate to products that respect their privacy and ignore Chat Control.” (Open letter from 40 EU tech companies, [13:10])

• On Salesforce Data Leak:
  “No wonder these guys stay at it. The human factor is reliably the weakest link in the enterprise security chain.” (Steve Gibson, [34:59])

• On API/Data Integration Breaches:
  “Automated backend systems which publish an API are being used by clients...if compromised, attackers can use those [APIs] at high speed to exfiltrate data.” (Steve Gibson, [49:05])

• On Redis Vulnerability:
  "The urgency with which you should address this vulnerability depends upon how Redis was installed and its exposure level...330,000 Redis instances are exposed to the internet right now." (Steve Gibson, [135:53])

• On Internet Authentication:
  "Authentication is generally broken and should never be trusted. The only Internet servers that should ever be placed onto the Internet are those that do not use any authentication." (Steve Gibson, [115:22])

Key Timestamps

| Time | Segment/Event | |-----------|------------------------------------------------------------------| | 00:00 | Opening / Teaser | | 10:56 | EU Chat Control Vote defeated / Privacy open letter | | 27:28 | Salesforce ransomware/extortion, public stance, context | | 35:10 | Discord breach overview, Zendesk compromise details | | 49:49 | GitHub migration to Azure, risks and context | | 56:50 | California passes privacy browser button law | | 75:23 | Texas SB 2420 explained in-depth; Apple & developer responses | | 101:24 | Discussion of per-transaction parental consent / implications | | 112:18 | BreachForums HN domain seized | | 113:45 | 100,000-strong botnet attacks US RDP endpoints | | 122:18 | Listener feedback on iOS 26 UI; Nielsen Norman Group critique | | 132:31 | Deep dive on RedisShell (CVSS 10.0) vulnerability |

Conclusion

This episode is packed with essential security updates—from urgent patch notices (RedisShell, Discord, Salesforce) to the major legal changes reshaping online privacy and software distribution in the US and Europe. Steve Gibson’s clear, sometimes passionate breakdowns equip listeners with both the context and technical guidance they need to protect themselves and their organizations.

If you run Redis anywhere, check your configuration. If you're in Texas, brace for massive app store changes—and if you haven't yet disabled RDP at the firewall, do it now!