.png)
2 weeks ago
2
Source: Aleksia via Alamy Stock Photo
A 13-year-old vulnerability that affects all versions of the Redis open source data storage service can allow attackers to take full control of a host system, posing a significant threat to cloud environments across myriad organizations and industries.
Wiz Research discovered the remote code execution (RCE) flaw, tracked as CVE-2025-49844 and dubbed "RediShell," which has existed in the Redis source code for more than a decade, according to a blog post published Monday. The issue, which exploits a use-after-free (UAF) memory corruption bug, has the highest critical score on the CVSS — a 10 out of 10 — in terms of severity.
"This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host," Wiz researchers Benny Isaacs and Nir Brakha wrote in the blog post. Lua is a lightweight programming language.
This is indeed extremely serious business, because it "grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments," they wrote.
Wiz sent the original vulnerability report to Redis on May 16 after demonstrating the flaw at Berlin's #Pwn2Own 2025 conference. Redis then published a security bulletin and released a patched version of the data storage service on Oct. 3.
Related:A $50 'Battering RAM' Can Bust Confidential Computing
300,000 Instances Exposed
Redis is an increasingly popular open source, in-memory data structure storage service that is used in an estimated 75% of cloud environments, according to Wiz. Because of the widespread usage, "the potential impact is extensive," the researchers noted, urging all organizations to patch instances immediately by prioritizing those exposed to the Internet.
At this moment, that prioritization list includes more than 300,000 Redis instances, 60,000 of which require no authentication, according to Wiz. Moreover, 57% of cloud environments install Redis as container images, many without proper security hardening.
"While Redis has had a strong security history, the combination of this flaw and common deployment practices significantly increases its potential impact," Isaacs and Brakha wrote.
While Wiz recommended that all Redis users upgrade their instances immediately, the researchers differentiated between two key high-risk scenarios. Organizations with Redis containers, which do not require authentication by default, that are exposed to the Internet are at the highest risk of attack and should respond accordingly with urgent mitigation, the researchers said.
Related:Critical Azure Entra ID Flaw Highlights Microsoft IAM Issues
While of slightly less risk, Redis instances that are exposed to internal networks — where authentication may not be prioritized and thus allow any host in the local network to connect to the database server — also can be exploited by an attacker with access to the cloud environment. These instances should also should be remediated as quickly as possible, according to Wiz.
How Exploit Works
What compounds the severity of RediShell is that to compromise a Redis instance using the flaw is not a difficult task, according to Wiz. An attacker first sends a malicious Lua script to exploit the use-after-free vulnerability. The script escapes the Lua sandbox and achieves arbitrary code execution, and then the threat actor establishes reverse shell for persistent access.
Just like that, the Redis host is compromised, and an attacker can proceed to engage in malicious activity such as: stealing credentials such as SSH keys, authentication tokens, and digital certificates; installing malware or cryptocurrency miners; and exfiltrating sensitive data from Redis databases and host systems.
Using stolen credentials, an attacker also can move laterally to access other cloud services as well as escalate privileges and move on to additional systems, the researchers said.
Related:The Cloud Edge Is the New Attack Surface
Mitigations Beyond Patching
In addition to patching CVE-2025-49844, Wiz recommended several mitigation steps, such as implementing Redis authentication using the "requirepass" directive and using firewalls and virtual private clouds (VPCs) for network access control around Redis instances.
To further mitigate the risk of the vulnerability, security teams "should identify misconfigured or outdated Redis builds through continuous asset discovery and validate real-world exploitability using safe simulations," Piyush Sharma, CEO and co-founder of security firm Tuskira, said in a statement. They also should disable Lua for untrusted users, monitor Redis process behavior at the endpoint and network level, and isolate exposed nodes, he said.
Moreover, Redis itself should take some responsibility for protections by adopting "safer defaults and firewall protections to reduce public exposure," Sharma added.
Redis made its own recommendations to organizations in the wake of the RediShell discovery as well. One best practice is to restrict network access only to authorized users and systems. Organizations also should limit Redis permissions for user identities strictly to those that are completely necessary, and only allow trusted identities to run Lua scripts or make any other potentially risky commands.
