Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

RediShell: A 13-year-old score 10 RCE has been upgraded to Redis

Redazione RHC : 7 October 2025 07:39

A 13-year-old critical flaw, known as RediShell , in Redis allows remote code execution (RCE) , giving attackers the ability to gain full control of the underlying host system.

The security issue has been flagged as CVE-2025-49844 and was discovered by Wiz Research. This issue has been assigned the highest severity rating on the CVE-2025-4984

Analysis by Wiz Research revealed a large attack surface, with approximately 330,000 Redis instances exposed to the internet. Alarmingly, approximately 60,000 of these instances have no authentication configured.

The security flaw, caused by a Use-After-Free (UAF) error in memory management, has been present in Redis code for approximately thirteen years. This vulnerability can be exploited by an attacker, after completing authentication, by sending a specially crafted Lua script.

Since Lua scripting is a built-in feature, an attacker can break out of the Lua sandbox environment to achieve arbitrary code execution on the Redis host.

Complete control is granted to the attacker at this level of access, allowing them to hijack system resources for activities such as cryptocurrency mining, move laterally on the network, as well as steal, delete, or encrypt data.

The potential impact is amplified by Redis’ ubiquity. An estimated 75% of cloud environments use in-memory data storage for caching, session management, and messaging.

The attack flow begins with the attacker sending a malicious Lua script to the vulnerable Redis instance. After successfully exploiting the UAF bug to escape the sandbox, the attacker can establish a reverse shell for persistent access. From there, they can compromise the entire host by stealing credentials such as SSH keys and IAM tokens, installing malware, and exfiltrating sensitive data from both Redis and the host machine.

On October 3, 2025, Redis released a security advisory and patched builds to address CVE-2025-49844. All Redis users are strongly advised to update their instances immediately, prioritizing those exposed to the internet or lacking authentication.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli