Redis Warned of a 13-Year Critical Vulnerability in the Project Code
The Redis security team has released patches for a maximum-severity vulnerability that could allow attackers to achieve remote code execution (RCE) on thousands of instances. Incredibly, the flaw has been present in the project's codebase for 13 years.
Understanding the 'RediShell' Vulnerability
Redis (Remote Dictionary Server) is a popular open-source, in-memory data structure store used as a database, cache, and message broker in approximately 75% of cloud environments. Its primary advantage is providing ultra-fast data access by storing data in RAM.
Tracked as CVE-2025-49844, the vulnerability stems from a use-after-free memory bug. Authenticated attackers can exploit it using a specially crafted Lua script, a feature that is enabled by default. Researchers at Wiz, who discovered and reported the bug at Pwn2Own Berlin, have dubbed it "RediShell."
This provides an attacker with full access to the host system, allowing them to exfiltrate, delete, or encrypt sensitive data, hijack resources, and move laterally in cloud environments.
Impact of a Successful Exploit
A successful exploit allows an attacker to escape the Lua sandbox and achieve RCE on the target Redis host. Once compromised, a hacker can:
- Steal credentials and sensitive information stored in Redis.
- Deploy malware, ransomware, or cryptocurrency mining tools.
- Establish a reverse shell for persistent access.
- Move laterally to attack other systems on the victim's network.
Mitigation and Protection
While the exploit requires authentication, researchers found approximately 330,000 Redis instances exposed online, with at least 60,000 of them requiring no authentication at all. Both Redis and Wiz strongly urge administrators to update their instances immediately, prioritizing those exposed to the internet.
For additional defense, administrators should also implement the following security best practices:
- Enable strong authentication.
- Disable Lua scripting and other non-essential commands.
- Run Redis with a non-root user account.
- Implement robust logging and monitoring.
- Restrict network access to authorized networks using firewalls and VPCs.
A History of Redis Exploits
Unprotected Redis instances are a frequent target for botnets. In June 2024, the P2PInfect botnet was observed installing Monero cryptominers and deploying a ransomware module on unpatched, internet-facing servers. Other notable malware campaigns targeting Redis include Redigo, HeadCrab, and Migo, all of which hijacked resources for cryptocurrency mining.