Patch Immediately: RediShell Vulnerability in Redis Could Lead to Remote Code Execution

CVE-2025-49844 (dubbed “RediShell” by Wiz Research) is a critical remote code execution (RCE) vulnerability in Redis, stemming from a Use-After-Free (UAF) memory corruption flaw in the Lua scripting engine. This bug has existed for approximately 13 years and affects all Redis versions with Lua scripting enabled.

Severity: Critical

Vulnerability Details

• CVE ID: CVE-2025-49844
• CVSS Score: 10.0
• Vulnerability Type: Use-After-Free (UAF) memory corruption
• Description: Redis uses Lua scripts to allow embedded execution of code within the Redis runtime. A flaw in the Lua garbage collector implementation enables a script to reference and manipulate memory after it has been freed, leading to a Use-After-Free condition. When the memory is reused by the Redis process, it allows crafted payloads to inject executable code into memory and run it at the system level, effectively bypassing the interpreter’s sandbox and memory protections.

• Affected Releases:
  • All Redis Software releases
  • All Redis OSS/CE/Stack releases with Lua scripting
• Fixed Releases:
  • 7.22.2-12 and above, 7.8.6-207 and above, 7.4.6-272 and above, 7.2.4-138 and above, 6.4.2-131 and above
  • OSS/CE: 8.2.2 and above, 8.0.4 and above, 7.4.6 and above, 7.2.11 and above;
  • Stack: 7.4.0-v7 and above, 7.2.0-v19 and above.

Exploitation

An attacker with access to a vulnerable Redis instance (often via weak or absent authentication) can:

• Upload and execute a crafted Lua script that triggers the UAF bug.
• Escape the Lua sandbox to execute arbitrary code at the host level.
• Establish a reverse shell, enabling persistence and lateral movement.
• Steal credentials (SSH keys, IAM tokens), deploy malware or crypto miners, exfiltrate sensitive data.

Redis is used in ~75% of cloud environments. Wiz’s exposure analysis found approximately 330,000 Redis instances publicly exposed, with 60,000 lacking authentication, making large-scale exploitation plausible in unprotected environments.

Cve-2025-49844 Exploitation Indicators

1. Connections to Redis from IPs or hosts not part of approved lists or subnets.
2. Sudden spikes in inbound traffic on Redis ports.
3. Outbound connections initiated by redis-server (possible reverse shell).
4. New or modified files in /etc/redis/, /var/lib/redis/, or custom Redis persistence directories.
5. Unexpected use of EVAL, EVALSHA, or SCRIPT LOAD. New or obfuscated Lua scripts appearing in Redis. Commands executed by unknown or low-privilege users.
6. Unexplained Redis server crashes, specifically crashes with a stack trace that originates from the Lua engine.

Recommendations

1. Immediately update Redis to the latest patched version. Prioritize patching internet-exposed or unauthenticated instances.
2. Enforce the use of credentials for all access to Redis instances. Avoid configurations that allow unauthenticated access, and ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
3. Ensure that only authorized users and systems have access to the Redis database.
4. Ensure that user identities with access to Redis are granted the minimum permissions necessary. Only allow trusted identities to run Lua scripts or any other potentially risky commands.
5. Disable Lua scripting if not required via Redis ACLs.

Source:

• https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844
• https://redis.io/blog/security-advisory-cve-2025-49844/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.