A 13-year-old critical remote code execution (RCE) vulnerability in Redis, dubbed RediShell, allows attackers to gain full access to the underlying host system.
The flaw, tracked as CVE-2025-49844, was discovered by Wiz Research and has been assigned the highest possible CVSS severity score of 10.0, a rating reserved for the most severe security issues.
The vulnerability is a Use-After-Free (UAF) memory corruption bug that has existed in the Redis source code for approximately 13 years. A post-authentication attacker can exploit this flaw by sending a specially crafted Lua script.
Because Lua scripting is a default feature, the attacker can escape the Lua sandbox environment to achieve arbitrary code execution on the Redis host.
This level of access grants an attacker complete control, enabling them to steal, delete, or encrypt data, hijack system resources for activities like crypto mining, and move laterally across the network.
The potential impact is magnified by Redis’s ubiquity. An estimated 75% of cloud environments utilize the in-memory data store for caching, session management, and messaging.
The combination of this critical flaw with common deployment practices that often lack proper security hardening creates a significant risk multiplier for organizations globally.
Redis Instances Exposed to the Internet
Analysis by Wiz Research revealed an extensive attack surface, with approximately 330,000 Redis instances exposed to the internet. Alarmingly, about 60,000 of these instances have no authentication configured.
The official Redis container image, which accounts for 57% of cloud installations, does not require authentication by default.
This configuration is highly dangerous, as it allows any unauthenticated attacker to send malicious Lua scripts and execute code within the environment.
Even instances exposed only to internal networks are at high risk, as an attacker with an initial foothold could exploit the vulnerability for lateral movement to more sensitive systems.
The attack flow begins with the attacker sending a malicious Lua script to the vulnerable Redis instance. After successfully exploiting the UAF bug to escape the sandbox, the attacker can establish a reverse shell for persistent access.
From there, they can compromise the entire host by stealing credentials like SSH keys and IAM tokens, installing malware, and exfiltrating sensitive data from both Redis and the host machine.
On October 3, 2025, Redis released a security advisory and patched versions to address CVE-2025-49844. All Redis users are strongly urged to upgrade their instances immediately, prioritizing those that are internet-exposed or lack authentication.
In addition to patching, organizations should implement security hardening best practices.
These measures include enabling strong authentication, disabling Lua scripting if it is not required, running Redis with a non-root user account with minimal privileges, and implementing network-level access controls like firewalls and Virtual Private Clouds (VPCs) to restrict access to authorized networks only.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
