A 13-year-old critical remote code execution (RCE) vulnerability identified in Redis, termed RediShell, poses a significant threat by enabling attackers to acquire full access to the underlying host system.
This flaw, cataloged as CVE-2025-49844, was unearthed by Wiz Research and has been assigned a maximal CVSS severity score of 10.0—an echelon reserved for the most alarming security vulnerabilities.
At its core, the vulnerability represents a Use-After-Free (UAF) memory corruption issue that has remained embedded within the Redis source code for around 13 years. An adversary, possessing post-authentication capabilities, can exploit this weakness by dispatching a meticulously crafted Lua script.
Due to the default prominence of Lua scripting, the assailant can transcend the Lua sandbox, effectuating arbitrary code execution on the Redis host.
This degree of access empowers the attacker with absolute control, facilitating activities such as data exfiltration, deletion, or encryption, as well as commandeering system resources for illicit purposes like crypto mining and executing lateral movements across the network.
The ramifications are intensified by the pervasive adoption of Redis; an estimated 75% of cloud environments incorporate this in-memory data store for tasks such as caching, session management, and messaging.
Moreover, the confluence of this critical vulnerability with prevalent deployment practices that frequently lack sufficient security hardening creates a formidable risk multiplier for organizations on a global scale.
Redis Instances Exposed to the Internet
Insights from Wiz Research indicate a vast attack surface, revealing approximately 330,000 Redis instances exposed to the Internet. Disturbingly, around 60,000 of these instances operate without any authentication measures.
The official Redis container image, representing 57% of cloud installations, does not necessitate authentication by default.
This configuration poses a substantial risk, permitting any unauthenticated aggressor to dispatch malevolent Lua scripts, thereby executing code within the environment.
Instances that are merely exposed to internal networks are equally vulnerable; an attacker initially breaching the system could exploit the flaw to navigate laterally to more sensitive infrastructure.
The attack flow initiates with an attacker sending a harmful Lua script to the compromised Redis instance. Upon successfully manipulating the UAF bug to escape the sandbox, the assailant can establish a reverse shell for sustained access.
Subsequently, the perpetrator can jeopardize the entire host by pilfering credentials, such as SSH keys and IAM tokens, deploying malware, and extracting sensitive data from both Redis and the host machine.
On October 3, 2025, Redis issued a security advisory and released patched versions to rectify CVE-2025-49844. Users are urgently implored to upgrade their instances without delay, particularly those that are exposed to the Internet or lack authentication.
Beyond patching, organizations should adopt best practices for security hardening.
Recommended measures include enabling robust authentication, disabling Lua scripting if unnecessary, executing Redis under a non-root user account with constrained privileges, and instituting network-level controls such as firewalls and Virtual Private Clouds (VPCs) to limit access solely to authorized networks.
Source link: Cybersecuritynews.com.
