A critical-severity vulnerability that lingered in Redis for 13 years potentially exposes 60,000 servers to exploitation, cybersecurity firm Wiz warns.
Redis is an open source platform that stores data in memory, mainly used as an application cache or quick-response database, as it offers increased speeds and performance.
By default, the official Redis container does not require authentication, as instances should be deployed internally and not internet-accessible, but there are roughly 330,000 Redis servers exposed to the web, and 60,000 of them have no authentication.
“The combination of no authentication and exposure to the internet is highly dangerous, allowing anyone to query the Redis instance and, specifically, send Lua scripts (which are enabled by default),” Wiz notes.
This exposes the servers to the exploitation of the newly discovered CVE-2025-49844 (CVSS score of 10/10), named RediShell, a use-after-free issue that may allow authenticated attackers to execute arbitrary code remotely.
Underlining that roughly 75% of cloud environments rely on Redis, Wiz explains that an attacker could fully compromise a system by sending a malicious Lua script to trigger the bug and escape the Lua sandbox to achieve code execution.
The script would also deploy a reverse shell to establish persistent access, allowing attackers to harvest credentials and other sensitive information, exfiltrate data, install malware, move laterally using the stolen sensitive data, and escalate their privileges.
“More Redis instances are exposed to internal networks where authentication may not be prioritized, allowing any host in the local network to connect to the database server. An attacker with a foothold in the cloud environment could gain access to sensitive data and exploit the vulnerability to run arbitrary code for lateral movement into sensitive networks,” Wiz notes.
On October 3, Redis versions 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131 were released with patches for the vulnerability. Redis also rolled out OSS/CE versions 8.2.2, 8.0.4, 7.4.6, and 7.2.11, and Stack versions 7.4.0-v7 and 7.2.0-v19.
According to Redis, which notes that the flaw can be exploited by manipulating the garbage collector, cloud deployments have been automatically updated to the new versions, but self-managed instances should be upgraded to the latest releases as soon as possible.
Redis also recommends restricting network access to servers, enforcing strong authentication methods, ensuring protected-mode is enabled (in CE and OSS), and implementing minimum necessary permissions for user accounts that have access to the servers.
“Use firewalls and network policies to limit access to trusted sources and prevent unauthorized connectivity. […] Only allow trusted identities to run Lua scripts or any other potentially risky commands,” Redis notes.
There is no evidence that CVE-2025-49844 has been exploited in the wild. Unauthorized access to the database, anomalous traffic to the server, unknown use of scripting commands, unexpected crashes tracing to the Lua engine, and anomalous command execution or file system changes could indicate potential compromise.
“RediShell (CVE-2025-49844) represents a critical security vulnerability that affects all Redis versions due to its root cause in the underlying Lua interpreter. With hundreds of thousands of exposed instances worldwide, this vulnerability poses a significant threat to organizations across all industries,” Wiz said.
In an emailed comment, Tuskira co-founder and CEO Piyush Sharma underlined the risks associated with the exploitation of this vulnerability in the context of tens of thousands of servers being accessible from the internet without authentication.
“This Lua-based use-after-free flaw reinforces the need for proactive exposure management. Security teams should identify misconfigured or outdated Redis builds through continuous asset discovery and validate real-world exploitability using safe simulations,” Sharma said.
“To mitigate risk, disable Lua for untrusted users, monitor Redis process behavior at the endpoint and network level, and isolate exposed nodes. Redis itself should adopt safer defaults and firewall protections to reduce public exposure,” he added.
Related: Microsoft and Steam Take Action as Unity Vulnerability Puts Games at Risk
Related: Unauthenticated RCE Flaw Patched in DrayTek Routers
Related: WireTap Attack Breaks Intel SGX Security
Related: OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks
