Wiz Research has uncovered a critical Remote Code Execution (RCE) vulnerability, CVE-2025-49844 which we've dubbed #RediShell, in the widely used Redis in-memory data structure store. The vulnerability has been assigned a CVSS score of 10.0 - the highest possible severity (note that we have seen this listed as a 9.9 in some places, depending on the source).
The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host. This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.
Given that Redis is used in an estimated 75% of cloud environments, the potential impact is extensive. Organizations are strongly urged to patch instances immediately by prioritizing those that are exposed to the internet.
On October 3, Redis
released a security advisoryalong with a patched version of Redis. We extend our gratitude to the entire Redis team for their collaboration throughout the disclosure process. We greatly appreciate their transparency, responsiveness, and partnership during this engagement.
In this post, we will provide a high-level overview of our discovery and its implications. Given the prevalence and sensitivity of this vulnerability, we will defer some of the technical details to a future installment, omitting exploit information for now to allow impacted organizations sufficient time to address the vulnerability.
Organizations utilizing Redis are strongly encouraged to update their Redis instances to the latest version immediately.
The newly disclosed RediShell (CVE-2025-49844) vulnerability in Redis has been assigned a CVSS score of 10.0 - a rating rarely seen, with only around 300 vulnerabilities receiving it in the past year. It’s also the first Redis vulnerability to be rated as critical. The score reflects not just the technical severity of remote code execution, but also how Redis is commonly used and deployed. Redis is widely used in cloud environments for caching, session management, and pub/sub messaging. While Redis has had a strong security history, the combination of this flaw and common deployment practices significantly increases its potential impact.
Wiz Research discovered a Remote Code Execution vulnerability CVE-2025-49844 affecting the widely used Redis database. The vulnerability is a Use-After-Free (UAF) memory corruption that allows an attacker to send a malicious Lua script that leads to arbitrary code execution outside Redis’s Lua interpreter sandbox, gaining access to the host.
RediShell affects Redis forks, including the popular Valkey project, which released a patch on October 3.
It also impacts managed Redis services such as Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis.
The urgency with which you should address this vulnerability depends on how Redis was installed and its exposure level.
Our analysis across cloud environments revealed the extensive scope of this vulnerability:
Approximately 330,000 Redis instances are exposed to the internet at the time of this blog post
About 60,000 instances have no authentication configured
57% of cloud environments install Redis as container images, many without proper security hardening
Critical Risk - Internet-Exposed + Unauthenticated:
The official Redis container, by default, does not require authentication. Our analysis shows that 57% of cloud environments install Redis as an image. If not installed carefully, these instances may lack authentication entirely. The combination of no authentication and exposure to the internet is highly dangerous, allowing anyone to query the Redis instance and, specifically, send Lua scripts (which are enabled by default). This enables attackers to exploit the vulnerability and achieve RCE within the environment.
High Risk - Internal Network Exposure:
More Redis instances are exposed to internal networks where authentication may not be prioritized, allowing any host in the local network to connect to the database server. An attacker with a foothold in the cloud environment could gain access to sensitive data and exploit the vulnerability to run arbitrary code for lateral movement into sensitive networks.
The attack sequence demonstrates how an attacker can exploit RediShell (CVE-2025-49844) to achieve comprehensive system compromise:
Initial Exploitation
Attacker sends a malicious Lua script to exploit the use-after-free vulnerability
Sandbox Escape
Script escapes the Lua sandbox and achieves arbitrary code execution
Establishes reverse shell for persistent access
System Compromise
Steals credentials (.ssh keys, IAM tokens, certificates)
Installs malware or crypto miners
Exfiltrates sensitive data from Redis and host
Lateral Movement
Uses stolen IAM tokens to access other cloud services
Escalates privileges and moves to additional systems
**We recommend that all Redis users upgrade their instances immediately, as this vulnerability poses a significant risk.**
May 16, 2025: Initial vulnerability report sent to Redis in Pwn2Own Berlin.
Oct 3, 2025: Redis publishes the security bulletin and assigned CVE-2025-49844.
Oct 6, 2025: Wiz Research publishes this blog post.
Update Redis Immediately: Upgrade to the latest patched version. Prioritize any internet-exposed or unauthenticated instances.
Security Hardening:
Enable Redis Authentication: Use the requirepass directive.
Disable Unnecessary Commands: This includes Lua scripting if it's not being used. You can achieve this by revoking user scripting permissions via Redis ACLs or by disabling scripting commands.
Run with Minimal Privileges: Operate Redis using a non-root user account.
Enable Logging and Monitoring: Activate Redis logging and monitoring to track activity and identify potential issues.
Implement Network-Level Access Controls: Utilize firewalls and Virtual Private Clouds (VPCs).
Restrict Redis Access: Limit access to authorized networks only.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to assess the risk in their environment.
Wiz identifies both internal and publicly exposed Redis instances in your environment affected by CVE-2025-49844, and alerts you to instances that have been misconfigured to allow unauthenticated access or use weak or default passwords.
RediShell (CVE-2025-49844) represents a critical security vulnerability that affects all Redis versions due to its root cause in the underlying Lua interpreter. With hundreds of thousands of exposed instances worldwide, this vulnerability poses a significant threat to organizations across all industries.
The combination of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an urgent need for immediate remediation. Organizations must prioritize updating their Redis instances and implementing proper security controls to protect against exploitation.
This vulnerability also highlights how deeply today’s cloud environments depend on open-source technologies like Redis. That shared reliance is what motivated us, alongside other cloud providers, to launch ZeroDay.Cloud, a community-driven effort to identify and responsibly disclose critical zero-day vulnerabilities in the open-source software powering the cloud. Redis, along with other core open-source technologies, is part of that effort.
Wiz Research will continue to monitor the threat landscape and provide additional technical details in future publications so that organizations have time to implement necessary security measures.
For technical questions about this research, please contact: research@wiz.io
---
This research was conducted by the Wiz Research team. We thank the Redis security team for their professional handling of this disclosure and their commitment to user security.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。