RediShell Vulnerability Exposes Thousands of Redis Servers to Remote Exploitation

A critical vulnerability in Redis, one of the most widely used in-memory data stores, has been discovered — and it’s been hiding in plain sight for over 13 years. The flaw, tracked as CVE-2025-49844 and dubbed “RediShell”, carries the maximum severity score of 10.0 (CVSS) and could expose up to 60,000 publicly accessible Redis servers to remote code execution (RCE) attacks, according to researchers from Wiz.

What Is Redis?

Redis (Remote Dictionary Server) is an open-source, in-memory key-value data store often used as a cache or real-time database for web and cloud applications. Its speed and flexibility have made it a foundation for scalable architectures — powering roughly 75% of modern cloud environments.

By default, Redis instances are designed for internal use only and often deployed without authentication. However, Wiz found that around 330,000 Redis instances are accessible from the internet — and 60,000 of them have no authentication enabled, creating ideal conditions for exploitation.

Understanding the RediShell Vulnerability

The RediShell vulnerability stems from a use-after-free flaw in Redis’ Lua scripting engine, a powerful feature that allows users to run custom scripts within the server.

An attacker can exploit the flaw by sending a malicious Lua script, escaping the sandbox, and executing arbitrary code on the host system. This could allow:

• Full system compromise

• Credential theft and data exfiltration

• Malware deployment

• Lateral movement across cloud environments

Because Lua scripting is enabled by default, attackers can remotely trigger the exploit — especially if authentication is disabled or misconfigured.

Patches and Mitigation

On October 3, Redis released multiple patched versions to fix the vulnerability across its product lines:

• Redis versions: 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131

• OSS/CE versions: 8.2.2, 8.0.4, 7.4.6, and 7.2.11

• Redis Stack: 7.4.0-v7 and 7.2.0-v19

According to Redis, the issue can be triggered by manipulating the garbage collector. While most cloud-managed Redis deployments have been automatically updated, self-managed instances must be manually upgraded immediately.

Redis also recommends:

• Restricting network access to trusted systems

• Enforcing strong authentication and protected mode

• Using firewalls and network policies to limit exposure

• Allowing only trusted identities to execute Lua scripts

Detection and Impact

While there is no evidence of active exploitation, the potential impact is severe given Redis’ prevalence in cloud environments. Signs of compromise may include:

• Unusual network traffic or database queries

• Unexpected Lua script execution

• Unauthorized access logs or file changes

• Redis process crashes linked to the Lua engine

As Wiz warns, the vulnerability “represents a critical risk across all industries” due to its long lifespan and global footprint.

Expert Recommendations

Piyush Sharma, co-founder and CEO of Tuskira, emphasized the broader lesson:

He advises disabling Lua for untrusted users, monitoring Redis process behavior, and isolating exposed nodes to prevent lateral movement.

Conclusion

RediShell (CVE-2025-49844) serves as a reminder that even mature, trusted technologies can harbor long-lived flaws. For organizations relying on Redis, patching immediately, tightening network access, and disabling unneeded scripting capabilities are essential to defend against one of the most impactful vulnerabilities uncovered this year.