A 13-year-old important distant code execution (RCE) vulnerability in Redis, dubbed RediShell, permits attackers to realize full entry to the underlying host system.
The flaw, tracked as CVE-2025-49844, was found by Wiz Analysis and has been assigned the best attainable CVSS severity rating of 10.0, a ranking reserved for essentially the most extreme safety points.
The vulnerability is a Use-After-Free (UAF) reminiscence corruption bug that has existed within the Redis supply code for about 13 years. A post-authentication attacker can exploit this flaw by sending a specifically crafted Lua script.
As a result of Lua scripting is a default characteristic, the attacker can escape the Lua sandbox atmosphere to realize arbitrary code execution on the Redis host.
This stage of entry grants an attacker full management, enabling them to steal, delete, or encrypt knowledge, hijack system assets for actions like crypto mining, and transfer laterally throughout the community.
The potential influence is magnified by Redis’s ubiquity. An estimated 75% of cloud environments make the most of the in-memory knowledge retailer for caching, session administration, and messaging.
The mixture of this important flaw with widespread deployment practices that always lack correct safety hardening creates a big threat multiplier for organizations globally.
Redis Situations Uncovered to the Web
Evaluation by Wiz Analysis revealed an in depth assault floor, with roughly 330,000 Redis cases uncovered to the web. Alarmingly, about 60,000 of those cases haven’t any authentication configured.
The official Redis container picture, which accounts for 57% of cloud installations, doesn’t require authentication by default.
This configuration is extremely harmful, because it permits any unauthenticated attacker to ship malicious Lua scripts and execute code throughout the atmosphere.
Even cases uncovered solely to inside networks are at excessive threat, as an attacker with an preliminary foothold may exploit the vulnerability for lateral motion to extra delicate techniques.
The assault circulation begins with the attacker sending a malicious Lua script to the weak Redis occasion. After efficiently exploiting the UAF bug to flee the sandbox, the attacker can set up a reverse shell for persistent entry.
From there, they’ll compromise the whole host by stealing credentials like SSH keys and IAM tokens, putting in malware, and exfiltrating delicate knowledge from each Redis and the host machine.
On October 3, 2025, Redis launched a safety advisory and patched variations to handle CVE-2025-49844. All Redis customers are strongly urged to improve their cases instantly, prioritizing these which are internet-exposed or lack authentication.
Along with patching, organizations ought to implement safety hardening finest practices.
These measures embrace enabling robust authentication, disabling Lua scripting if it’s not required, working Redis with a non-root consumer account with minimal privileges, and implementing network-level entry controls like firewalls and Digital Non-public Clouds (VPCs) to limit entry to licensed networks solely.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
