Redis has released emergency patches for a severe security vulnerability that could potentially allow attackers gain full control over affected servers, putting thousands of deployments at risk across cloud environments.
Redis (Remote Dictionary Server) is an open-source data structure platform widely deployed in roughly 75% of cloud environments, serving as a database, cache, and message broker, while storing data in RAM to enable high-speed access.
The security vulnerability, identified as CVE-2025-49844 and dubbed “RediShell,” carries a maximum CVSS rating of 10.0 and impacts every Redis version that includes Lua scripting, which is enabled by default.
This security gap stems from a use-after-free bug that has existed in Redis’ codebase for over a decade. Researchers at Wiz, who reported the vulnerability earlier this month, demonstrated that it can be triggered by a specially crafted Lua script. When exploited, attackers can break out of the Lua sandbox, corrupt memory, and execute arbitrary commands on the underlying host.
“This flaw allows a post auth attacker to send a specially crafted malicious Lua script … to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host,” Wiz said. “This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.”
Although exploitation requires the attacker to first gain authenticated access to the server, Wiz discovered roughly 330,000 Redis instances exposed online, with around 60,000 lacking any authentication.
Redis addressed the vulnerability on October 3, 2025, releasing fixes in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2. Until systems can be updated, administrators are advised to restrict Lua command execution through access control lists and ensure only trusted accounts can run potentially risky scripts.
“With hundreds of thousands of exposed instances worldwide, this vulnerability poses a significant threat to organizations across all industries,” Wiz warned. “The combination of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an urgent need for immediate remediation.”
Beyond patching, Redis administrators are advised to implement authentication, limit network exposure, run Redis under non-root accounts, enable Redis logging and monitoring, and employ firewalls or virtual private clouds to restrict access.
While there have been no confirmed attacks exploiting this flaw yet, Redis has historically been targeted by cybercriminals. Previous campaigns, including malware such as P2PInfect, Redigo, HeadCrab, and Migo, have hijacked unpatched servers for cryptomining operations and ransomware deployment.
The Big Picture
RediShell serves as a reminder of how a long-standing flaw in widely adopted open-source software can pose a major risk if left unpatched.
With Redis running extensively across cloud environments and often exposed to the internet, organizations that are slow to apply the necessary updates may leave themselves open to remote code execution, credential theft, unauthorized data access, and lateral movement by attackers throughout their networks.
Read More
