A 13-year-old critical flaw, known as RediShell , in Redis allows remote code execution (RCE) , giving attackers the ability to gain full control of the underlying host system.
The security issue has been flagged as CVE-2025-49844 and was discovered by Wiz Research. This issue has been assigned the highest severity rating on the CVE-2025-4984 …
Analysis by Wiz Research revealed a large attack surface, with approximately 330,000 Redis instances exposed to the internet. Alarmingly, approximately 60,000 of these instances have no authentication configured.
The security flaw, caused by a Use-After-Free (UAF) error in memory management, has been present in Redis code for approximately thirteen years. This vulnerability can be exploited by an attacker, after completing authentication, by sending a specially crafted Lua script.
Since Lua scripting is a built-in feature, an attacker can break out of the Lua sandbox environment to achieve arbitrary code execution on the Redis host.
Complete control is granted to the attacker at this level of access, allowing them to hijack system resources for activities such as cryptocurrency mining, move laterally on the network, as well as steal, delete, or encrypt data.
The potential impact is amplified by Redis’ ubiquity. An estimated 75% of cloud environments use in-memory data storage for caching, session management, and messaging.
The attack flow begins with the attacker sending a malicious Lua script to the vulnerable Redis instance. After successfully exploiting the UAF bug to escape the sandbox, the attacker can establish a reverse shell for persistent access. From there, they can compromise the entire host by stealing credentials such as SSH keys and IAM tokens, installing malware, and exfiltrating sensitive data from both Redis and the host machine.
On October 3, 2025, Redis released a security advisory and patched builds to address CVE-2025-49844. All Redis users are strongly advised to update their instances immediately, prioritizing those exposed to the internet or lacking authentication.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
