“`html
A 13-year-old severe remote code execution (RCE) vulnerability in Redis, termed RediShell, permits adversaries to obtain complete access to the underlying host system.
The flaw, identified as CVE-2025-49844, was found by Wiz Research and has received the utmost possible CVSS severity rating of 10.0, a designation reserved for the most critical security vulnerabilities.
This vulnerability is a Use-After-Free (UAF) memory corruption defect that has been present in the Redis source code for roughly 13 years. A post-authentication adversary could exploit this issue by dispatching a specifically crafted Lua script.
Since Lua scripting is a built-in feature, the attacker can break out of the Lua sandbox environment to perform arbitrary code execution on the Redis host.
This extent of access provides the attacker total control, allowing them to steal, delete, or encrypt data, commandeer system resources for activities like cryptocurrency mining, and navigate laterally across the network.
The likely consequences are magnified by Redis’s widespread use. Approximately 75% of cloud environments employ the in-memory data store for caching, session management, and communication.
The combination of this grave vulnerability with prevalent deployment practices that frequently lack adequate security hardening presents a significant risk multiplier for organizations globally.
https://www.youtube.com/watch?v=yOBt8irvao0[/embed>
Redis Instances Exposed to the Internet
Examination by Wiz Research uncovered an extensive attack surface, with around 330,000 Redis instances visible on the internet. Alarmingly, approximately 60,000 of these instances lack any configured authentication.
The official Redis container image, which represents 57% of cloud deployments, does not necessitate authentication by default.
This setup is extremely hazardous, enabling any unauthenticated attacker to send harmful Lua scripts and execute code within the environment.
Even instances accessible solely to internal networks remain at high risk, as an initial foothold could allow the attacker to leverage the vulnerability for lateral movement to more sensitive systems.
The attack sequence initiates when the adversary sends a harmful Lua script to the vulnerable Redis instance. Upon successfully exploiting the UAF defect to break free from the sandbox, the attacker can create a reverse shell for continuous access.
From that point, they can compromise the entire host by pilfering credentials such as SSH keys and IAM tokens, installing malware, and exfiltrating sensitive data from both Redis and the host machine.
On October 3, 2025, Redis issued a security advisory and released patched versions to mitigate CVE-2025-49844. All Redis users are strongly urged to promptly upgrade their instances, placing priority on those exposed to the internet or lacking authentication.
Alongside patching, organizations should adopt best practices for security hardening.
These actions include enabling robust authentication, disabling Lua scripting if unnecessary, operating Redis with a non-root user account with limited privileges, and employing network-level access controls like firewalls and Virtual Private Clouds (VPCs) to limit access to authorized networks only.
“`