Security Now 1047: RediShell’s CVSS 10.0 – The Rise of Mega Botnets

Podcast: Security Now (TWiT)
Hosts: Steve Gibson & Leo Laporte
Date: October 15, 2025

Episode Overview

This episode tackles some of the most urgent and impactful stories in cybersecurity, including:

• The critical new “RediShell” vulnerability affecting over 330,000 exposed Redis servers with an unprecedented CVSS 10.0 rating.
• The rise of global mega-botnets targeting exposed RDP services, with more than 100,000 bot-controlled endpoints.
• Major data breaches at Discord and Salesforce, with corporate refusals to pay extortion ransoms, leading to massive leaks of personal and government ID data.
• The recent EU vote against “Chat Control” privacy-breaking regulation and legislative updates from Texas and California that reshape online privacy and age verification.
• Technical and UI tangents, including the troubled user interface redesign in iOS 26 and Microsoft’s internal push to migrate GitHub to Azure.

Steve and Leo offer expert technical analysis, policy discussion, practical advice, and unfiltered reactions to this rapidly changing threat landscape.

Key Discussions & Insights

1. Major News Headlines (00:00 – 05:43)

• Leo and Steve outline the episode’s agenda, touching on EU privacy developments, Salesforce and Discord breaches, mega-botnet attacks on RDP, new browser privacy law in California, and the “end of life” for Windows 10.
  • “We've got a new California law that our governor Gavin Newsom signed last week that should help things… Also, we’ve got a 100,000-strong global botnet attacking US-based RDP services. And again, what could possibly go wrong there?” – Steve Gibson (02:50)

2. Picture of the Week – Dementia Patient Security (09:10 – 10:56)

• The “picture of the week” shows clever use of memory care codes, designed to allow staff elevator access while minimizing dementia patient risk—demonstrating security through usability and social engineering awareness.

3. EU Chat Control Legislation Dodged (10:56 – 27:22)

• The controversial “Chat Control” regulation, which threatened end-to-end encryption for content-scanning, failed due to opposition from Germany and the Netherlands.
  • Notable quote:
    • “Germany’s justice minister… described chat control as a, ‘taboo for the rule of law,’ arguing that the fight against child pornography does not justify removing everyone’s right to privacy.” – Steve Gibson (12:42)
• Steve shares a detailed open letter from top EU tech companies warning that such laws would devastate European digital sovereignty and commercial competitiveness (14:00–24:00).
• Steve and Leo emphasize the importance of legislatures respecting encryption and user rights, while noting that variants of the law could reappear elsewhere.

4. Salesforce Ransomware Extortion & Data Leak (27:22 – 35:10; Updated at 75:23)

• Salesforce faced a public extortion demand for ~1 billion customer records following breaches attributed to “Scattered Lapsus Hunters.” Salesforce refused to pay the ransom (27:22).
  • Notable quote:
    • “Salesforce says it’s refusing to pay an extortion demand made by a crime syndicate… I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand.” – Steve Gibson quoting Salesforce (28:35)
• Steve predicts, accurately, that the data would be leaked anyway, as ransom groups need credibility—later confirming (at 75:23) that major customer databases, including Qantas and Vietnam Airlines, were exposed.
  • “...the bad guys need to leak the data so their next victim will take them seriously. Oh, Leo, what a world.” – Steve Gibson (34:49)

5. Discord Data Breach: 5.5 Million Users Affected (39:42 – 49:42)

• The Discord breach exposed at least 5.5 million users, including up to 70,000 government ID photos due to poor age verification retention and an insecure support workflow via Zendesk.
• Insights:
  • Attackers leveraged a compromised outsourced support agent’s access, exploited Zendesk APIs, and exfiltrated data for 58 hours (41:35).
  • Steve criticizes data hoarding as “data aggregation fever” and underscores cybersecurity risks of deep API integrations.
  • “So folks, we need a better solution for proving age… [This breach] shows you exactly why.” – Leo Laporte (41:03)
  • “Basically, what's happened is... enterprises have established operational backends... an underground private network which is data-rich. Now bad guys are breaking into that and taking advantage of these APIs to suck out all of the data.” – Steve Gibson (47:00)

6. GitHub Forced Migration to Azure (49:49 – 55:27)

• Microsoft is accelerating GitHub’s move to Azure infrastructure, prioritizing the migration over new feature development, due to scalability issues and the workload of AI (e.g. Copilot).
• Steve and Leo discuss possible outages, technical risks, and developer community concerns as GitHub’s autonomy erodes within Microsoft.

7. California and Texas Privacy & Age Verification Laws (55:30 – 104:54)

California (55:30 – 64:55):

• New law mandates browsers provide a user-friendly universal opt-out signal (“Global Privacy Control”) to simplify blocking data sales—enforceable by 2027.
• Only DuckDuckGo, Brave, and Tor currently broadcast GPC by default. Chrome and Safari need to catch up.
  • “It is progress. We have the technology and then we have the legislation to require its use…” – Steve Gibson (64:10)

Texas SB2420 "App Store Accountability Act" (75:23 – 104:54):

• Texas’s new law (in effect Jan 1, 2026) forces app marketplaces to verify user age using “commercially reasonable methods” (e.g., no simple self-declaration) and to obtain parental consent for every download or in-app purchase by minors (under 18).
  • “Anything any app downloaded by a minor, regardless of its rating, requires parental consent.” – Steve Gibson (86:55)
• Apple, Google, and developers must retool to comply, with Apple noting that even for weather apps, ID checks may be required.
  • “Tim Cook is believed to have called Greg Abbott to argue against the provisions of the legislation… Those pleas apparently fell on deaf ears.” – Steve Gibson (85:55)
• Apple’s currently available Age Range API is deemed insufficient; Texas will not accept unverifiable age claims.
  • “Self-declaration never is sufficient in Texas. This implies that for Texas users, Apple will need to implement some new form of age verification—ID checks, credit card-based validation, or some other form of verifiable age assurance.” – Steve Gibson (99:16)
• Massive privacy and usability implications are dissected, and Leo laments the expected surge of “adults only” app labels to avoid compliance risk (86:45).

8. RDP Mega Botnets – 100,000+ Global Attack Nodes (113:44 – 121:00)

• A botnet comprising over 100,000 globally distributed nodes has begun attacking exposed U.S. RDP endpoints (100+ countries involved).
• Steve reiterates perennial warnings:
  • “Don’t do it. For me or anyone to publicly expose any instance of RDP to the Internet would be just begging for an intrusion.” – Steve Gibson (115:03)
  • The only remote services safe for public exposure are those requiring no authentication (115:47).

9. iOS 26 UI Rant and NNG Critique (121:10 – 127:14)

• Steve shares listener Dan Linder’s link to the Nielsen Norman Group’s scathing review of iOS 26’s “liquid glass” visual language, reinforcing his concerns about design choices that sacrifice usability.
  • “Liquid glass makes UI elements translucent and bubbly. The result is light, airy—and often invisible. Content may technically be in focus, but you can’t read or see it.” – NNG via Steve Gibson (123:35)

10. RediShell: A CVSS 10.0 Catastrophe in Redis (132:31 – 146:57)

• Exploit Summary:
  • Newly discovered remote code execution (RCE) vulnerability in all versions of Redis stemming from a 13-year-old “use-after-free” bug in its embedded Lua interpreter.
  • Impact:
    • CVSS 10.0 — “highest possible severity”; affects 330,000+ public Redis servers, 60,000 unauthenticated.
    • Allows post-auth attackers to break out of the Lua sandbox and run arbitrary native code—enabling full host compromise, data exfiltration, ransomware, botnet recruitment, and lateral cloud movement.
  • Patching: Updates are available now (after Oct 3), but exploitation is expected due to the open-source nature and typical lag in patch deployment.
  • “The combination of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an urgent need for immediate remediation.” – Steve Gibson quoting Wiz Research (145:40)
• Key Advice:
  • If you run Redis:
    1. Patch immediately.
    2. Never expose Redis directly to the Internet.
    3. Scan internal networks for rogue Redis on port 6379.
    4. Remove instances that don’t need to be running or tighten firewall rules.

Memorable Quotes & Moments

• On RDP:
  • “Don’t do it. My repeated admonishment flies in the face of convenience, right? As we all know, convenience often trumps security.” (115:03)
• On Chat Control:
  • “Mandating what would essentially amount to backdoors... creates vulnerabilities that can and will be exploited by hostile state actors and criminals.” (16:00)
• On Discord breach data retention:
  • “Why are the age verification records being kept? That’s just lazy.” (49:40)
• On Texas SB2420's reality:
  • “Imagine being a 17-year-old high school senior in Texas and needing to obtain your mother's permission to add an app, any app, regardless of its age rating, to your iPhone.” (100:56)
• On UI design (NNG):
  • “Delight turns to distraction on the tenth, twelfth, or hundredth time... It’s like the interface is shouting ‘look at me’ when it should quietly step aside and let the real star—the content—take the spotlight.” (124:30)

Critical Timestamps

• 00:00 – Episode intro & headlines
• 09:10 – Picture of the week
• 10:56 – EU Chat Control vote analysis
• 27:22 – Salesforce refuses extortion, consequences
• 39:42 – Discord breach deep-dive
• 49:49 – GitHub’s forced migration to Azure
• 55:30 – California’s Global Privacy Control law
• 75:23 – Texas SB2420 explainer & App Store consequences
• 113:44 – Mega-botnet RDP attacks begin
• 121:10 – iOS 26 visual design critique
• 132:31 – Main event: RediShell Redis exploit analysis
• 146:57 – Lua ecosystem risks & episode wrap-up

Takeaways for Security Professionals

• Patch and re-secure any Redis deployments immediately—treat all as potentially vulnerable unless proven updated and firewalled.
• Do not expose RDP or Redis to the open Internet under any circumstances—use VPN, strong certificate-based auth, and segmentation.
• Review all third-party integrations (Zendesk, etc.) for excessive API/data permissions and enforce aggressive data minimization and retention policies.
• Track rapidly changing regulatory requirements—US state privacy and safety laws can (and will) impact your technical and product roadmaps on short notice.

Original Talk, Clear Attribution, and Structure Have Been Maintained to Provide a Full Picture of This Important Episode.