Redis warns of vital flaw impacting hundreds of cases

The Redis security workforce has launched patches for a most severity vulnerability that might permit attackers to achieve distant code execution on hundreds of susceptible cases.

Redis (quick for Distant Dictionary Server) is an open-source information construction retailer utilized in roughly 75% of cloud environments, functioning like a database, cache, and message dealer, and storing information in RAM for ultra-fast entry.

The security flaw (tracked as CVE-2025-49844) is attributable to a 13-year-old use-after-free weak point discovered within the Redis supply code and could be exploited by authenticated risk actors utilizing a specifically crafted Lua script (a function enabled by default).

Profitable exploitation allows them to flee the Lua sandbox, set off a use-after-free, set up a reverse shell for persistent entry, and obtain distant code execution on the focused Redis hosts.

After compromising a Redis host, attackers can steal credentials, deploy malware or cryptocurrency mining instruments, extract delicate information from Redis, transfer laterally to different programs inside the sufferer’s community, or use stolen info to achieve entry to different cloud companies.

“This grants an attacker full entry to the host system, enabling them to exfiltrate, wipe, or encrypt delicate information, hijack sources, and facilitate lateral motion inside cloud environments,” mentioned Wiz researchers, who reported the security subject at Pwn2Own Berlin in Might 2025 and dubbed it RediShell.

Whereas profitable exploitation requires attackers first to achieve authenticated entry to a Redis occasion, Wiz discovered round 330,000 Redis cases uncovered on-line, with no less than 60,000 of them not requiring authentication.

Redis and Wiz urged admins to patch their cases instantly by making use of security updates launched on Friday, “prioritizing these which can be uncovered to the web.”

To additional safe their Redis cases in opposition to distant assaults, admins also can allow authentication, disable Lua scripting and different pointless instructions, launch Redis utilizing a non-root person account, allow Redis logging and monitoring, restrict entry to approved networks solely, and implement network-level entry controls utilizing firewalls and Digital Personal Clouds (VPCs).

“RediShell (CVE-2025-49844) represents a vital security vulnerability that impacts all Redis variations resulting from its root trigger within the underlying Lua interpreter. With lots of of hundreds of uncovered cases worldwide, this vulnerability poses a big risk to organizations throughout all industries,” Wiz warned in a report shared with BleepingComputer.

“The mix of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an pressing want for speedy remediation. Organizations should prioritize updating their Redis cases and implementing correct security controls to guard in opposition to exploitation.”

Risk actors continuously goal Redis cases through botnets that infect them with malware and cryptominers. For instance, in June 2024, a peer-to-peer malware botnet often known as P2PInfect put in Monero cryptomining malware and deployed a ransomware module in assaults concentrating on Web-exposed and unpatched Redis servers.

Beforehand, Redis servers have been additionally backdoored with Redigo malware and contaminated in HeadCrab and Migo malware assaults, which disabled safety options on compromised cases and hijacked them to mine for the Monero cryptocurrency.