Redis, the company behind the widely used in-memory data store, disclosed a critical vulnerability (CVE-2025-49844, dubbed RediShell) allowing attackers to escape the Lua sandbox and execute arbitrary native code on the host system via a use-after-free memory corruption bug. The flaw, present since 2012, affects Redis versions with Lua scripting (v8.2.1 and earlier). Worse, 57% of cloud Redis deployments use default container images with authentication disabled, exposing ~60,000 internet-facing instances globally to remote code execution (RCE) risks. Exploitation could lead to persistent access, cryptomining, data exfiltration (Redis/host), credential theft (e.g., IAM tokens for lateral cloud movement), and full system compromise. German authorities warned of imminent attacks due to the flaw’s simplicity and Redis’ ubiquity. Patches are available, but unpatched systems remain at severe risk of complete takeover, especially if exposed without authentication or proper ACLs.
TPRM report: https://www.rankiteo.com/company/redisinc
"id": "red3893338100725",
"linkid": "redisinc",
"type": "Vulnerability",
"date": "6/2012",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Users of Redis (server) '
'versions with Lua scripting: '
'v8.2.1 and earlier, including '
'~330,000 internet-exposed '
'instances (~60,000 without '
'authentication)',
'industry': 'Database/Technology',
'location': 'Global',
'name': 'Redis Ltd.',
'type': 'Software Company'},
{'location': 'Global (notably ~4,000 unprotected '
'instances in Germany per BSI)',
'name': 'Organizations using Redis containers',
'type': ['Enterprises',
'Cloud Service Providers',
'Developers']}],
'attack_vector': ['Network',
'Lua Script Injection (EVAL/EVALSHA commands)',
'Post-Authentication'],
'customer_advisories': 'Users advised to patch immediately or disable Lua '
'scripting; hardening guidance provided',
'data_breach': {'data_exfiltration': 'Possible (noted as a risk by Wiz '
'researchers)',
'personally_identifiable_information': 'Possible (if stored '
'in Redis)',
'sensitivity_of_data': 'High (potential for credential theft '
'and lateral movement)',
'type_of_data_compromised': ['Redis database contents',
'Host system files',
'Cloud credentials (e.g., IAM '
'tokens)']},
'description': 'Redis, the company behind the widely used in-memory data '
'structure store, has patched a critical vulnerability '
"(CVE-2025-49844, dubbed 'RediShell') that allows "
'post-authentication attackers to escape the Lua sandbox and '
'execute arbitrary native code on the Redis host. The flaw '
'stems from a use-after-free memory corruption bug introduced '
'in 2012, affecting Redis versions with Lua scripting (v8.2.1 '
'and earlier). Exploitation could lead to persistent access, '
'cryptomining, data exfiltration, credential theft, and '
'lateral movement in cloud environments. Approximately 330,000 '
'internet-exposed Redis instances exist globally, with ~60,000 '
'lacking authentication. The German BSI warns of imminent '
'exploitation attempts once technical details are publicized.',
'impact': {'brand_reputation_impact': ['High risk due to widespread Redis '
'usage',
'Potential loss of trust in cloud '
'security'],
'data_compromised': ['Redis database contents',
'Host system data',
'Cloud service credentials (e.g., IAM '
'tokens)'],
'identity_theft_risk': ['If credentials/IAM tokens are stolen'],
'operational_impact': ['Unauthorized code execution',
'Potential service disruption',
'Compromised cloud infrastructure'],
'systems_affected': ['Redis servers (v8.2.1 and earlier with Lua '
'scripting)',
'Underlying host systems',
'Cloud environments using Redis containers']},
'investigation_status': 'Ongoing (technical details withheld by Wiz to delay '
'exploitation)',
'lessons_learned': ['Default configurations (e.g., no auth in container '
'images) introduce significant risk',
'Legacy code (2012 vulnerability) can resurface as '
'critical flaws',
'Widespread exposure of services (330K instances) '
'amplifies impact',
'Post-authentication vulnerabilities can be as severe as '
'pre-auth flaws'],
'motivation': ['Potential for cryptomining',
'Data exfiltration',
'Lateral movement in cloud environments',
'Persistent access',
'Credential theft'],
'post_incident_analysis': {'corrective_actions': ['Code fixes in patched '
'versions',
'Security hardening '
'recommendations',
'Public awareness campaigns '
'(e.g., BSI alert)'],
'root_causes': ['Use-after-free bug in Lua sandbox '
'(introduced 2012)',
'Default insecure configurations '
'(auth disabled in container '
'images)',
'Widespread internet exposure of '
'Redis instances',
'Lack of input validation for Lua '
'scripts']},
'recommendations': ['Immediately patch Redis to fixed versions (see advisory)',
'Enable authentication for all Redis instances',
'Disable Lua scripting if not required (via ACLs)',
'Harden Redis deployments (non-root user, command '
'restrictions, logging)',
'Isolate Redis instances with network access controls',
'Monitor for exploitation attempts (especially after PoC '
'release)',
'Audit cloud environments for exposed Redis instances'],
'references': [{'source': 'Wiz Research'},
{'source': 'German Federal Office for Information Security '
'(BSI) Alert'},
{'source': 'Redis Security Advisory'}],
'regulatory_compliance': {'regulatory_notifications': ['German BSI alert '
'issued']},
'response': {'communication_strategy': ['Public advisory by Redis',
'Alert by German BSI',
'Wiz Research blog post (technical '
'details withheld temporarily)'],
'containment_measures': ['Patch deployment (see fixed versions)',
'Disabling Lua scripting via ACL '
'restrictions on EVAL/EVALSHA commands',
'Network segmentation'],
'enhanced_monitoring': 'Recommended (Redis logging activation)',
'network_segmentation': 'Recommended',
'remediation_measures': ['Enable authentication (default '
'disabled in official container images)',
'Disable unnecessary Redis commands',
'Run Redis as non-root user',
'Activate logging/monitoring',
'Implement network-level access '
'controls',
'Restrict Redis access to authorized '
'networks'],
'third_party_assistance': ['Wiz Research (discovery/reporting)']},
'stakeholder_advisories': ['Redis users/administrators',
'Cloud service providers',
'DevOps/SRE teams',
'Security researchers'],
'title': 'Critical Redis Vulnerability (CVE-2025-49844) Enables Remote Code '
'Execution via Lua Scripting (RediShell)',
'type': ['Vulnerability',
'Remote Code Execution (RCE)',
'Memory Corruption',
'Use-After-Free'],
'vulnerability_exploited': 'CVE-2025-49844 (RediShell - Use-after-free in Lua '
'sandbox)'}