RediShell: Critical remote code execution vulnerability in Redis

Executive summary Wiz Research has uncovered a critical Remote Code Execution (RCE) vulnerability, CVE-2025-49844 which we've dubbed #RediShell, in the widely used Redis in-memory data structure store. The vulnerability has been assigned a CVSS score of 10.0 - the highest possible severity. The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host. This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments. Given that Redis is used in an estimated 75% of cloud environments, the potential impact is extensive. Organizations are strongly urged to patch instances immediately by prioritizing those that are exposed to the internet. On October 3, Redis released a security advisory along with a patched version of Redis. We extend our gratitude to the entire Redis team for their collaboration throughout the disclosure process. We greatly appreciate their transparency, responsiveness, and partnership during this engagement. In this post, we will provide a high-level overview of our discovery and its implications. Given the prevalence and sensitivity of this vulnerability, we will defer some of the technical details to a future installment, omitting exploit information for now to allow impacted organizations sufficient time to address the vulnerability. Organizations utilizing Redis are strongly encouraged to update their Redis instances to the latest version immediately. Vulnerability Meets Ubiquity: The Redis Risk Multiplier The newly disclosed RediShell (CVE-2025-49844) vulnerability in Redis has been assigned a CVSS score of 10.0 - a rating rarely seen, with only around 300 vulnerabilities receiving it in the past year. It’s also the first Redis vulnerability to be rated as critical. The score reflects not just the technical severity of remote code execution, but also how Redis is commonly used and deployed. Redis is widely used in cloud environments for caching, session management, and pub/sub messaging. While Redis has had a strong security history, the combination of this flaw and common deployment practices significantly increases its potential impact. Scope Wiz Research discovered a Remote Code Execution vulnerability CVE-2025-49844 affecting the widely used Redis database. The vulnerability is a Use-After-Free (UAF) memory corruption that allows an attacker to send a malicious Lua script that leads to arbitrary code execution outside Redis’s Lua interpreter sandbox, gaining access to the host. The urgency with which you should address this vulnerability depends on how Redis was installed and its exposure level. Exposure Analysis Our analysis across cloud environments revealed the extensive scope of this vulnerability: Approximately 330,000 Redis instances are exposed to the internet at the time of this blog post About 60,000 instances have no authentication configured 57% of cloud environments install Redis as container images, many without proper security hardening Risk Assessment Critical Risk - Internet-Exposed + Unauthenticated: The official Redis container , by default, does not require authentication. Our analysis shows that 57% of cloud environments install Redis as an image. If not installed carefully, these instances may lack authentication entirely. The combination of no authentication and exposure to the internet is highly dangerous, allowing anyone to query the Redis instance and, specifically, send Lua scripts (which are enabled by default). This enables attackers to exploit the vulnerability and achieve RCE within the environment. High Risk - Internal Network Exposure: More Redis instances are exposed to internal networks where authentication may not be prioritized, allowing any host in the local network to connect to the database server. An attacker with a foothold in the cloud environment could gain access to sensitive data and exploit the vulnerability to run arbitrary code for lateral movement into sensitive networks. Attack Flow and Impact The attack sequence demonstrates how an attacker can exploit RediShell (CVE-2025-49844) to achieve comprehensive system compromise: Initial Exploitation Attacker sends a malicious Lua script to exploit the use-after-free vulnerability Sandbox Escape Script escapes the Lua sandbox and achieves arbitrary code execution Establishes reverse shell for persistent access System Compromise Steals credentials (.ssh keys, IAM tokens, certificates) Installs malware or crypto miners Exfiltrates sensitive data from Redis and host Lateral Movement Uses stolen IAM tokens to access other cloud services Escalates privileges and moves to additional systems The Result: Host Remote Code Execution **We recommend that all Redis users upgrade their instances immediately, as this vulnerability poses a significant risk.** Disclosure Timeline May 16, 2025 : Initial vulnerability report sent to Redis in Pwn2Own Berlin. Oct 3, 2025 : Redis publishes the security bulletin and assigned CVE-2025-49844. Oct 6, 2025: Wiz Research publishes this blog post. Recommended Actions Update Redis Immediately: Upgrade to the latest patched version. Prioritize any internet-exposed or unauthenticated instances. Security Hardening: Enable Redis Authentication: Use the requirepass directive. Disable Unnecessary Commands: This includes Lua scripting if it's not being used. You can achieve this by revoking user scripting permissions via Redis ACLs or by disabling scripting commands. Run with Minimal Privileges: Operate Redis using a non-root user account. Enable Logging and Monitoring: Activate Redis logging and monitoring to track activity and identify potential issues. Implement Network-Level Access Controls: Utilize firewalls and Virtual Private Clouds (VPCs). Restrict Redis Access: Limit access to authorized networks only. How Wiz can help Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to assess the risk in their environment. Wiz identifies both internal and publicly exposed Redis instances in your environment affected by CVE-2025-49844, and alerts you to instances that have been misconfigured to allow unauthenticated access or use weak or default passwords. Conclusion: treat with urgency RediShell (CVE-2025-49844) represents a critical security vulnerability that affects all Redis versions due to its root cause in the underlying Lua interpreter. With hundreds of thousands of exposed instances worldwide, this vulnerability poses a significant threat to organizations across all industries. The combination of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an urgent need for immediate remediation. Organizations must prioritize updating their Redis instances and implementing proper security controls to protect against exploitation. This vulnerability also highlights how deeply today’s cloud environments depend on open-source technologies like Redis. That shared reliance is what motivated us, alongside other cloud providers, to launch ZeroDay.Cloud , a community-driven effort to identify and responsibly disclose critical zero-day vulnerabilities in the open-source software powering the cloud. Redis, along with other core open-source technologies, is part of that effort. Wiz Research will continue to monitor the threat landscape and provide additional technical details in future publications so that organizations have time to implement necessary security measures. For technical questions about this research, please contact: [email protected] --- This research was conducted by the Wiz Research team. We thank the Redis security team for their professional handling of this disclosure and their commitment to user security.