Unpatched internet-facing servers remain exposed to critical RCE flaws in Redis and IceWarp
A long-lived Redis memory-corruption flaw dubbed RediShell (CVE-2025-49844) was reported as a use-after-free bug that can lead to remote code execution under certain conditions. Although exploitation requires authentication, research noted that tens of thousands of Redis instances have historically been exposed to the internet without authentication enabled, increasing real-world risk; the issue was discovered by Wiz and demonstrated at Pwn2Own Berlin prior to public disclosure.
Separately, IceWarp disclosed a critical unauthenticated RCE (CVE-2025-14500) caused by OS command injection in handling of the X-File-Operation HTTP header, impacting both Windows and Linux deployments and enabling arbitrary command execution as SYSTEM/root. The flaw was reported in September 2025 and fixed in October 2025 across supported product lines, but Shadowserver reported more than 1,200 internet-facing on-prem instances still unpatched and said it is notifying affected owners to upgrade.
Timeline
Mar 5, 2026
CSO Online highlights long-lived vulnerabilities including RediShell and Vault flaws
On March 5, 2026, CSO Online published a roundup of long-lived software flaws, including the Redis use-after-free bug CVE-2025-49844, LionWiki path traversal issues, a sudo host logic flaw, HashiCorp Vault and CyberArk Conjur logic bugs disclosed at Black Hat USA 2025, GRUB2 Secure Boot-related flaws, and the recently fixed Telnet bypass. The article summarizes previously disclosed technical findings rather than introducing a new incident.
Mar 4, 2026
Shadowserver finds 1,200+ exposed IceWarp servers still unpatched
By early March 2026, the Shadowserver Foundation reported more than 1,200 internet-facing IceWarp instances remained vulnerable to CVE-2025-14500 and said it was notifying owners to update. IceWarp support urged prompt upgrades and backups before patching, while CCB warned patching would not undo any prior compromise.
Jan 1, 2026
Telnet authentication bypass CVE-2026-24061 fixed
A Telnet authentication bypass vulnerability, CVE-2026-24061, that had existed since May 2017 was fixed in January 2026. The bug could enable remote compromise when the service is exposed to the internet.
Oct 1, 2025
IceWarp releases fixes for CVE-2025-14500
In October 2025, IceWarp fixed CVE-2025-14500 across multiple supported product generations and versions. The Centre for Cybersecurity Belgium later described the issue as insufficient validation of user-supplied data before it is passed to a system call.
Sep 1, 2025
IceWarp RCE flaw CVE-2025-14500 reported to vendor
The critical unauthenticated OS command injection vulnerability CVE-2025-14500 in IceWarp was reported in September 2025. The flaw affects handling of the X-File-Operation header and can allow arbitrary command execution as SYSTEM on Windows or root on Linux.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Critical OS Command Injection in IceWarp via `X-File-Operation` Header
Government cyber agencies in Belgium and Canada warned of a **critical unauthenticated OS command injection** vulnerability in *IceWarp* (tracked as **CVE-2025-14500**, **CVSS 9.8**) that can allow a remote attacker to execute arbitrary commands on affected servers. The flaw is described as **CWE-78** and is tied to improper validation of user-controlled input in the `X-File-Operation` HTTP header, enabling code execution with high privileges (e.g., **SYSTEM** on Windows or **root** on Linux), with severe impact to confidentiality, integrity, and availability. Both advisories urge immediate patching across impacted IceWarp product lines and versions, including *IceWarp Epos Update 2*, *Epos Update 1*, *Epos (1st generation)*, and *Deep Castle and older versions*. Recommended fixed versions include upgrading to **14.2.0.12+** (Epos Update 2), **14.1.0.20+** (Epos Update 1), **14.0.0.18+** (Epos 1st gen), and **13.0.3.13+** (Deep Castle/older), alongside heightened monitoring and detection while remediation is underway.
1 months ago
Critical MongoDB and Redis Flaws Expose Data and Enable Remote Code Execution
Security advisories warned of two severe database software vulnerabilities with immediate internet-facing risk. In MongoDB, an unauthenticated network attacker can trigger an information disclosure flaw—described in some reporting as **MongoBleed**—to make a vulnerable server return sensitive data such as credentials, secrets, and personal information. The issue affects MongoDB releases dating back to about 2017 and stems from insufficient validation in the `zlib` implementation, which can leak uninitialized heap memory allocated to MongoDB. Working exploitation methods are known, and defenders were told to watch for large volumes of malformed or compressed requests, decompression or memory-handling errors, and repeated unauthenticated connections. Patches are available in versions `8.2.3`, `8.0.17`, `7.0.28`, `6.0.27`, `5.0.32`, and `4.4.30`, while end-of-life branches remain unpatched. A separate advisory disclosed a **critical Redis vulnerability** affecting `8.2.1` and earlier when Lua scripting is enabled, which is the default configuration. The flaw is a use-after-free condition that can be triggered by a specially crafted Lua script and may allow **remote arbitrary code execution**, giving an attacker full control of the host running Redis. Officials urged immediate upgrades because the vulnerability is publicly known and exploitation could begin within hours, and they advised organizations to inspect any previously exposed Redis environments for signs of compromise. Fixed versions were listed as `6.2.20`, `7.2.11`, `7.4.6`, `8.0.4`, and `8.2.2`, alongside renewed guidance that Redis instances should not be exposed directly to the public internet.
1 weeks ago
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
1 months ago