The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution (RCE) on thousands of exposed instances.
Redis, short for Remote Dictionary Server is an open source data structure store used in approximately 75% of cloud environments. It functions as a database, cache, and message broker, storing data in RAM for ultra fast access.
The RediShell Vulnerability
The security flaw, tracked as CVE-2025-49844, is caused by a 13 year old use after free weakness found in the Redis source code. It can be exploited by authenticated threat actors using a specially crafted Lua script, a feature that is enabled by default. Successful exploitation allows attackers to escape the Lua sandbox, trigger the use after free vulnerability, establish a reverse shell for persistent access, and ultimately achieve remote code execution on the targeted Redis hosts. Researchers at Wiz, who reported the issue at Pwn2Own Berlin in May 2025 and dubbed it RediShell, confirmed the flaw’s severity.
After compromising a Redis host, attackers can steal credentials, deploy malware or cryptocurrency mining tools, extract sensitive data, move laterally to other systems within the victim's network, or use stolen information to gain access to other cloud services. Wiz warned that this grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.
Exposure and Mitigation
While successful exploitation requires authenticated access to a Redis instance, Wiz found about 330,000 Redis instances exposed online, with at least 60,000 of these instances not requiring any authentication.
Redis and Wiz are strongly urging administrators to patch their instances immediately by applying the security updates released on Friday, prioritizing those that are exposed to the internet. To further secure Redis against remote attacks, administrators should also enable authentication, disable Lua scripting and other unnecessary commands, run Redis using a non root user account, enable Redis logging and monitoring, limit access to authorized networks only, and implement network level access controls using firewalls and Virtual Private Clouds (VPCs).
Wiz stressed that RediShell represents a critical threat because the vulnerability affects all Redis versions due to its root cause in the underlying Lua interpreter. The combination of widespread deployment, insecure default configurations, and the severity of the flaw creates an urgent need for immediate remediation.
Threat actors frequently target Redis instances with botnets to install malware and cryptominers. For example, in June 2024, the P2PInfect peer to peer malware botnet installed Monero cryptomining malware and deployed a ransomware module in attacks targeting internet exposed and unpatched Redis servers. Previously, Redis servers were also backdoored with Redigo malware and compromised in HeadCrab and Migo malware attacks, which disabled protection features and hijacked the servers to mine for Monero.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
