A brand new vulnerability in Redis, now generally known as RediShell (CVE-2025-49844), has put tens of 1000’s of servers susceptible to distant compromise. The flaw, rated with a most CVSS rating of 10.0, has existed unnoticed in Redis code for over a decade and is now being referred to as one of the severe points ever discovered within the open-source database.
The problem lies in a use-after-free bug in Redis’s Lua interpreter, which will be exploited by way of a malicious Lua script. Attackers can escape the interpreter’s sandbox and run arbitrary code on the host system. This degree of entry can permit theft of knowledge, set up of malware, or using compromised servers for extra assaults.
Cybersecurity researchers from Wiz, who discovered the problem, estimate that about 330,000 Redis cases are at the moment uncovered to the web, with roughly 60,000 operating with none authentication. Redis is usually utilized in cloud environments for caching and session administration, which suggests the attain of this vulnerability is way larger than typical software program bugs.
The Redis group responded shortly, releasing a patched model and a safety advisory on October 3. Wiz researchers had privately reported the problem in Could after figuring out it throughout Pwn2Own Berlin. The disclosure course of was dealt with collaboratively, with Redis engineers coordinating fixes earlier than public launch.
The chance varies relying on how Redis is deployed. Cases uncovered on to the web with out authentication face the best hazard. In these setups, anybody may join and run Lua scripts remotely, which supplies a direct path for exploitation.
Even inside inside networks, the bug poses vital publicity if authentication is weak or absent, as attackers already inside a company surroundings may exploit it for lateral motion.
Wiz’s evaluation shared with Hackrad.com discovered that 57% of Redis deployments in cloud environments run as container photos. Many of those containers are deployed with out correct entry controls or configuration checks, making them significantly weak.
If exploited, an attacker may ship a crafted Lua script to set off the reminiscence corruption, escape the sandbox, and set up full management over the host. As soon as inside, they may exfiltrate credentials, set up miners or backdoors, and use stolen tokens to maneuver throughout linked cloud methods.
Researchers are urging all Redis customers to improve to the newest model and confirm their configurations. Enabling authentication, disabling Lua scripting when not wanted, limiting community entry, and operating Redis below a non-root account are key mitigation steps. Logging and monitoring also needs to be turned on to detect uncommon exercise.
“This newly disclosed Redis vulnerability is a reminder that technical debt doesn’t simply reside in code; it lives in configuration. 13 years of latent threat surfaced as a result of default settings and weak segmentation went unobserved,” mentioned Anders Askasen, VP of Product Advertising and marketing at Radiant Logic.
When foundational providers like Redis run unauthenticated or uncovered, they create invisible assault paths that may pivot instantly into id and entry methods,” he added. “The reply isn’t simply patching sooner however seeing sooner. Id observability supplies the real-time visibility, management, validation, and remediation wanted to uncover these blind spots earlier than attackers do.”
The RediShell vulnerability reveals how a lot fashionable infrastructure is dependent upon open-source software program and the way previous code can carry hidden dangers for years. Redis is utilized by greater than three-quarters of cloud environments, so patching and tightening safety configurations ought to be handled as a direct precedence.
