Critical Redis Flaw Exposes Thousands of Instances

A critical security vulnerability has been identified in Redis, the widely used open-source data structure store, posing a severe threat to thousands of exposed instances. This flaw, designated CVE-2025-49844, carries a maximum CVSS severity score of 10.0 and could permit authenticated attackers to execute remote code on vulnerable systems. The underlying issue is a use-after-free weakness that has been present in the Redis source code for approximately thirteen years.

Redis, which stands for Remote Dictionary Server, operates as a database, cache, and message broker, storing data in RAM for exceptionally fast performance. It is deployed in an estimated three-quarters of all cloud environments, making this vulnerability a concern for a vast number of organizations. The security hole can be exploited by an attacker who has gained authenticated access to a Redis instance. By using a specially crafted Lua script, a feature that is enabled by default, the attacker can break out of the Lua sandbox, trigger the use-after-free condition, and establish a reverse shell. This provides persistent access and full remote code execution capabilities on the host running Redis.

Once a system is compromised, the potential damage is extensive. Attackers can pilfer credentials, install malware or cryptocurrency mining software, and exfiltrate sensitive data stored within Redis. Furthermore, they can use the compromised host as a foothold to move laterally across the victim’s network and potentially leverage stolen information to breach other cloud services. Researchers from Wiz, who discovered the flaw and presented it at the Pwn2Own Berlin event in May 2025, have named the exploit “RediShell.” They emphasize that it grants an attacker complete control over the host system, enabling data theft, destruction, or encryption, resource hijacking, and lateral movement within cloud infrastructures.

While exploitation requires authenticated access, the barrier to entry is lower than one might hope. Wiz’s investigation uncovered roughly 330,000 Redis instances accessible from the internet, with at least 60,000 of these configured without any authentication requirement. Both Redis and Wiz are strongly urging system administrators to apply the available security patches immediately, with a special focus on instances that are internet-facing. The fixed versions include Redis OSS/CE 8.2.2 and above, 8.0.4 and above, 7.4.6 and above, and 7.2.11 and above, among others.

To bolster defenses beyond patching, administrators are advised to implement several security measures. Enabling authentication, disabling the Lua scripting feature and other non-essential commands, and running the Redis service under a non-root user account are crucial first steps. Additional recommendations include activating Redis logging and monitoring, restricting network access to authorized systems only, and employing network-level controls such as firewalls and Virtual Private Clouds (VPCs).

Wiz has issued a stark warning, noting that the combination of Redis’s massive deployment footprint, often insecure default configurations, and the critical nature of this vulnerability creates a pressing need for swift action. They stress that organizations must prioritize updating their Redis deployments and enforcing proper security controls to guard against active exploitation.

This incident is part of a broader pattern where Redis servers are frequently targeted. Threat actors often use botnets to infect them with malware. For instance, in June 2024, the P2PInfect botnet was observed installing Monero cryptominers and even a ransomware module on unpatched, internet-exposed Redis servers. Historically, Redis instances have also been compromised by malware like Redigo, HeadCrab, and Migo, which typically disable security features and conscript the servers into cryptocurrency mining operations.

(Source: Bleeping Computer)