RediShell: Critical Redis RCE Vulnerability CVE-2025-49844 Exploits 13-Year-Old UAF Bug
Published
- Critical flaw: A remote code execution (RCE) vulnerability in Redis, dubbed RediShell (CVE-2025-49844), has been disclosed with a CVSS score of 10.0.
- Attack vector: The flaw exploits a 13-year-old Use-After-Free bug impacting an estimated 330,000 Redis instances exposed to the internet.
- Why it matters: It allows a post-authentication attacker to escape the Lua sandbox via a malicious script and execute arbitrary code.
A critical Redis RCE flaw, identified as CVE-2025-49844 and named RediShell, resides in the widely used Redis in-memory data store and carries the highest possible CVSS severity score of 10.0. The flaw stems from a Use-After-Free (UAF) memory corruption bug that has existed in the Redis source code for approximately 13 years.Â
Potential Risks and Impact
An attacker who has authenticated to a Redis instance can exploit this RCE vulnerability by sending a specially crafted Lua script. This allows them to escape the confines of the Lua sandbox and achieve arbitrary native code execution on the host machine, Wiz Research has uncovered.
The impact of the RediShell exploit is severe, granting an attacker complete control over the compromised host system. This level of access enables the exfiltration, deletion, or encryption of sensitive data stored both in Redis and on the host.Â
Furthermore, an attacker could hijack system resources for activities like cryptomining or use the compromised machine as a pivot point for lateral movement within a cloud environment.Â
With Redis used in an estimated 75% of cloud environments and many instances running with default insecure configurations (such as no authentication), the potential attack surface is extensive:
- Approximately 330,000 Redis instances are exposed to the internet
- About 60,000 instances have no authentication configuredÂ
- 57% of cloud environments install Redis as container images, many without proper security hardening
Recommended Actions for Mitigation
In response to the discovery, Redis released a security advisory and patched versions on October 3. Organizations are strongly urged to update all Redis instances immediately, prioritizing those exposed to the internet or operating without authentication.Â
Recommended security hardening measures for CVE-2025-49844 include:
- enabling robust authentication,Â
- disabling Lua scripting if it is not required,Â
- running Redis with minimal user privileges,Â
- implementing network-level access controls like firewalls and VPCs to restrict access to authorized networks only.
In September, a critical TP-Link zero-day exposed millions of routers to full system takeover and RCE flaws were found in Cisco SNMP XE software and in Ivanti Endpoint Manager Mobile (EPMM).
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular