A newly uncovered remote code execution (RCE) flaw in Redis, known as RediShell, has revealed that attackers could gain complete control over the host system. The issue, tracked as CVE-2025-49844, was discovered by Wiz Research and carries the maximum CVSS score of 10.0, placing it among the most critical security threats identified to date.
The vulnerability is a Use-After-Free (UAF) memory corruption issue that has existed in Redis’s source code for nearly 13 years. Attackers with authentication can exploit it by submitting a crafted Lua script. Since Lua scripting is enabled by default, the flaw allows an attacker to escape the Lua sandbox and execute arbitrary code on the Redis server.
Once exploited, this access provides complete system control, enabling data theft, deletion, or encryption, as well as hijacking system resources for malicious activities like crypto mining. It also allows lateral movement within the network to reach more sensitive systems.
Redis’s widespread use amplifies the potential damage. Around 75% of cloud environments rely on Redis for caching, session management, and message brokering. Combined with weak deployment practices that often lack proper security hardening, this flaw poses a serious global risk.
Redis Instances Exposed to the Internet
Wiz Research identified an alarming 330,000 Redis instances directly exposed to the internet. Approximately 60,000 of these were found without authentication, meaning attackers could interact with them freely.
The official Redis container image, representing about 57% of Redis deployments in the cloud, does not enforce authentication by default. This configuration makes it especially dangerous, as unauthenticated users can send malicious Lua scripts and execute arbitrary commands on the affected systems.
Even Redis instances confined to internal networks remain vulnerable, since attackers who already have limited access could exploit the flaw to move laterally and compromise critical systems.
Attack Flow and Exploitation Steps
The attack begins when an adversary sends a malicious Lua script to the target Redis instance. Upon successful exploitation of the UAF vulnerability, the attacker escapes the sandbox and establishes a reverse shell for persistent access.
With this foothold, the attacker can fully compromise the host, steal sensitive credentials such as SSH keys and IAM tokens, install malware, and exfiltrate data from both Redis and the underlying system.
On October 3, 2025, Redis issued an official security advisory and released patched versions to fix CVE-2025-49844. All Redis administrators are strongly advised to update immediately, especially internet-exposed or unauthenticated instances.
