Redis disclosed CVE-2025-49844 (RediShell), a critical CVSS 10.0 vulnerability in its in-memory database software, allowing authenticated attackers to exploit a use-after-free (UAF) memory corruption bug via malicious Lua scripts. This flaw, present for 13 years, enables remote code execution (RCE), granting full host system access. Attackers could steal credentials, exfiltrate sensitive data, deploy malware (e.g., ransomware), or pivot to other cloud services. The vulnerability affects all Redis versions prior to 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, with ~330,000 exposed instances globally, including 60,000 unprotected by authentication. While no in-the-wild exploitation is confirmed, Redis instances are prime targets for cryptojacking, botnet recruitment, and data breaches. Immediate mitigation requires patching, restricting Lua script execution via ACLs, and enforcing strong authentication. Failure to act risks large-scale data theft, system hijacking, or lateral movement across cloud environments, posing severe operational and reputational damage.
Source: https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html
TPRM report: https://www.rankiteo.com/company/redisinc
"id": "red5093050100725",
"linkid": "redisinc",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'All users of Redis with Lua '
'scripting enabled (~330,000 '
'exposed instances globally)',
'industry': 'Database Technology',
'location': 'Global',
'name': 'Redis (by Redis Ltd.)',
'type': 'Software Vendor'}],
'attack_vector': ['Network',
'Authentication Required',
'Lua Script Injection'],
'customer_advisories': ['Redis users urged to update, restrict Lua script '
'access, and secure instances'],
'data_breach': {'data_exfiltration': ['Potential (if exploited)'],
'personally_identifiable_information': ['Potential (if PII '
'stored in Redis)'],
'sensitivity_of_data': ['High (if sensitive data stored in '
'Redis)'],
'type_of_data_compromised': ['Potential: credentials, '
'sensitive data in Redis, cloud '
'environment resources']},
'date_detected': '2025-05-16',
'date_publicly_disclosed': '2025-10-03',
'date_resolved': '2025-10-03',
'description': 'Redis disclosed a maximum-severity security flaw '
'(CVE-2025-49844, aka RediShell) in its in-memory database '
'software, allowing remote code execution via a specially '
'crafted Lua script. The vulnerability, assigned a CVSS score '
'of 10.0, exists in all Redis versions with Lua scripting and '
'requires authenticated access for exploitation. It was '
'discovered by Wiz and patched in versions 6.2.20, 7.2.11, '
'7.4.6, 8.0.4, and 8.2.2 (released October 3, 2025). The flaw, '
'a 13-year-old use-after-free (UAF) memory corruption bug, '
'permits attackers to escape the Lua sandbox, execute '
'arbitrary native code, and gain full host system access. '
'While no wild exploitation is confirmed, the vulnerability '
'poses a significant threat due to ~330,000 exposed Redis '
'instances globally, with ~60,000 lacking authentication. '
'Attackers could exploit it for cryptojacking, botnet '
'enrollment, credential theft, malware deployment, data '
'exfiltration, or lateral movement in cloud environments.',
'impact': {'brand_reputation_impact': ['High (due to maximum-severity '
'vulnerability in widely used '
'database)'],
'data_compromised': ['Potential credentials',
'Sensitive data stored in Redis',
'Cloud environment resources'],
'identity_theft_risk': ['High (if credentials stored in Redis are '
'compromised)'],
'operational_impact': ['Full host system access for attackers',
'Risk of data '
'exfiltration/wiping/encryption',
'Resource hijacking'],
'payment_information_risk': ['High (if payment data stored in '
'Redis is compromised)'],
'systems_affected': ['Redis instances with Lua scripting enabled',
'Underlying host systems']},
'investigation_status': 'Completed (vulnerability disclosed, patches '
'released; no evidence of wild exploitation)',
'lessons_learned': ['Default configurations in widely used software can '
'introduce long-term risks (13-year-old bug).',
'Exposing database instances to the internet '
'significantly increases attack surface.',
'Scripting features (e.g., Lua in Redis) require strict '
'access controls.',
'Proactive vulnerability discovery (e.g., by Wiz) is '
'critical for open-source projects.'],
'motivation': ['Potential Cryptojacking',
'Botnet Enrollment',
'Data Theft',
'Lateral Movement',
'Unauthorized Access'],
'post_incident_analysis': {'corrective_actions': ['Patches released to fix '
'the memory corruption bug.',
'Guidance provided to '
'restrict Lua script '
'execution.',
'Public awareness campaign '
'on securing Redis '
'deployments.',
'Recommendations for '
'network segmentation and '
'monitoring.'],
'root_causes': ['13-year-old use-after-free bug in '
'Redis Lua scripting '
'implementation.',
'Default enabling of Lua scripting '
'without strict access controls.',
'Widespread exposure of Redis '
'instances to the internet '
'(~330,000 instances).',
'Lack of authentication on ~60,000 '
'exposed instances.']},
'recommendations': ['Immediately patch Redis instances to versions 6.2.20, '
'7.2.11, 7.4.6, 8.0.4, or 8.2.2.',
'Restrict EVAL and EVALSHA commands via ACL rules to '
'prevent Lua script execution by untrusted users.',
'Avoid exposing Redis instances to the internet; use '
'firewalls or private networks.',
'Enforce strong authentication (e.g., passwords, TLS) for '
'Redis instances.',
'Monitor Redis instances for unusual activity, especially '
'Lua script executions.',
'Segment networks to limit lateral movement if a Redis '
'instance is compromised.',
'Audit Redis data for sensitive information and apply '
'encryption where needed.',
'Review cloud environments for misconfigured Redis '
'deployments.'],
'references': [{'source': 'GitHub Advisory for CVE-2025-49844'},
{'source': 'Wiz Research Report'},
{'source': 'Redis Official Announcement'}],
'response': {'communication_strategy': ['GitHub advisory',
'Public disclosure via media',
'Vendor notifications'],
'containment_measures': ['Released patched versions (6.2.20, '
'7.2.11, 7.4.6, 8.0.4, 8.2.2)',
'Advisory published on GitHub',
'Public disclosure with mitigation '
'guidance'],
'enhanced_monitoring': ['Recommended for Redis instances'],
'incident_response_plan_activated': True,
'network_segmentation': ['Recommended as mitigation'],
'remediation_measures': ['Apply patches to affected Redis '
'versions',
'Restrict EVAL and EVALSHA commands via '
'ACL',
'Limit Lua script execution to trusted '
'identities',
'Avoid exposing Redis instances to the '
'internet',
'Enforce strong authentication'],
'third_party_assistance': ['Wiz (discovery and reporting)']},
'stakeholder_advisories': ['Users advised to patch immediately and apply '
'mitigation measures'],
'title': "Critical Redis 'RediShell' Vulnerability (CVE-2025-49844) Enables "
'Remote Code Execution',
'type': ['Vulnerability Disclosure',
'Remote Code Execution (RCE)',
'Memory Corruption'],
'vulnerability_exploited': {'affected_versions': 'All versions of Redis with '
'Lua scripting',
'cve_id': 'CVE-2025-49844',
'cvss_score': 10.0,
'exposure_window': '~13 years (since Redis source '
'code inclusion)',
'name': 'RediShell',
'patched_versions': ['6.2.20',
'7.2.11',
'7.4.6',
'8.0.4',
'8.2.2'],
'type': 'Use-After-Free (UAF) Memory Corruption'}}