60,000 Redis Servers Exposed by Critical Security Flaw
▼ Summary
– A critical security flaw (CVE-2025-49844) in Redis affects about 75% of cloud environments, leaving 60,000 servers vulnerable to remote exploitation.
– The flaw, nicknamed “RediShell,” has the maximum CVSS severity score of 10.0 and went undetected for 13 years in Redis’s Lua scripting engine.
– It is a use-after-free vulnerability that allows authenticated attackers to escape the sandbox and execute arbitrary code on the host system.
– Approximately 330,000 Redis instances are exposed online, with 60,000 lacking authentication, making them especially vulnerable to attack.
– Redis has released patches and advises immediate updates, along with enabling authentication, restricting network access, and disabling Lua scripting if not needed.
A newly discovered critical vulnerability within the widely used Redis in-memory database platform has placed an estimated 60,000 servers at direct risk of remote takeover. This security flaw, present in roughly three-quarters of cloud environments, allows attackers to gain complete control over affected systems.
The vulnerability, officially designated as CVE-2025-49844 and informally called “RediShell,” has received the highest possible severity rating of 10.0 on the CVSS scale. Researchers uncovered that the flaw has existed undetected within Redis’s embedded Lua scripting engine for an astonishing 13 years. It is classified as a use-after-free vulnerability, enabling any attacker with basic authentication to upload a maliciously designed Lua script. This script can then break out of its secure sandbox environment, permitting the execution of any command directly on the underlying host server.
Once an attacker successfully exploits this weakness, they can establish a persistent backdoor known as a reverse shell. This access can be leveraged to steal sensitive credentials, move laterally across internal corporate networks, or deploy malicious software such as ransomware and cryptocurrency miners.
Investigations by the cloud security firm Wiz revealed that while exploiting the bug requires authentication, approximately 330,000 Redis instances are directly accessible from the public internet. Alarmingly, about 60,000 of these servers operate with no authentication whatsoever, creating a perfect storm for compromise by combining public exposure with weak security configurations.
Redis and Wiz made a coordinated public disclosure of the vulnerability on October 3rd, issuing an urgent call for system administrators to apply patches immediately. The company has released fixed versions for Redis 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131, with corresponding updates available for both its open-source and commercial product lines.
Beyond immediate patching, Redis strongly recommends that users implement several critical security measures. These include enabling authentication, restricting server access to trusted networks only, and disabling the Lua scripting feature if it is not essential for operations. Additional best practices involve running the Redis service under a non-root user account, enforcing strict firewall and VPC rules, and maintaining vigilant monitoring of system logs for any unusual activity.
Redis servers have historically been a prime target for cybercriminal campaigns. Previous malware families like P2PInfect, Redigo, HeadCrab, and Migo have all specifically targeted poorly secured Redis instances to install cryptominers and other malicious payloads. Although there are no confirmed exploitations of CVE-2025-49844 in active attacks at this time, security experts emphasize that the platform’s massive adoption and frequent use of insecure default settings make rapid patching and robust network security absolutely vital to prevent a widespread incident.
(Source: INFOSECURITY)