A critical security flaw in Redis, a popular in-memory database platform used by about 75% of cloud environments, has left an estimated 60,000 servers vulnerable to remote exploitation.
The flaw, identified as CVE-2025-49844 and nicknamed “RediShell,” carries the maximum severity score of 10.0 under the Common Vulnerability Scoring System (CVSS).
The issue, which has remained undetected for 13 years, lies in Redis’s embedded Lua scripting engine.
This use-after-free vulnerability allows authenticated attackers to upload specially crafted Lua scripts, escape the sandbox and execute arbitrary code on the host.
Once compromised, an attacker could deploy a reverse shell for persistent access, steal credentials, move laterally through internal networks or install malware and cryptominers.
Thousands of Servers Exposed Online
Although exploitation requires authentication, research by cloud security firm Wiz found approximately 330,000 Redis instances exposed to the internet, with about 60,000 not protected by any authentication. This combination of public exposure and weak configuration makes these servers especially vulnerable.
Redis and Wiz jointly disclosed the flaw on October 3, urging administrators to patch immediately.
The company released fixes for Redis versions 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138 and 6.4.2-131, along with corresponding updates for its open source and commercial editions.
Read more on cloud infrastructure security: Scanning of Palo Alto Portals Surges 500%
Redis advised users to apply updates without delay and implement additional safeguards:
-
Enable authentication and restrict access to trusted networks
-
Disable Lua scripting if not required
-
Run Redis as a non-root user
-
Enforce firewalls and Virtual Private Clouds (VPCs)
-
Monitor logs and set alerts for suspicious behavior
Broader Threat Landscape
Redis servers have long been a target for cybercriminals. Past attacks, such as those involving the P2PInfect, Redigo, HeadCrab and Migo malware, used unpatched or exposed instances to deploy cryptocurrency miners and ransomware.
While there is currently no evidence that CVE-2025-49844 has been exploited in the wild, experts warn that the widespread use of Redis and default insecure configurations make rapid patching and strict network controls essential to prevent future attacks.
