A critical remote code execution flaw has been discovered in Redis, the widely used in-memory data store, that lurked undetected for 13 years. This vulnerability, now patched, allows attackers to run code on underlying host systems—threatening hundreds of thousands of Redis instances globally, especially those exposed to the internet without proper protections.

Key Takeaways

• 13-year-old vulnerability (CVE-2025-49844 dubbed "RediShell") impacted all Redis versions prior to October 2025.

• Carries maximum CVSS severity score of 10.0, permitting full host system compromise.

• Affects an estimated 330,000 internet-exposed instances; roughly 60,000 lack any authentication.

• Vulnerability exploits a use-after-free bug via Lua scripting—a default Redis feature.

• Immediate patching and hardening are strongly advised for all Redis operators.

How The Bug Works And Its Risks

The flaw stems from a use-after-free memory corruption issue within Redis’s Lua scripting engine, introduced into the codebase more than a decade ago. Exploiting this, attackers with the ability to run scripts (often available by default on unprotected Redis instances) can escape the Lua sandbox to execute arbitrary code at the host level.

Attackers with remote or internal access could:

• Steal sensitive data including SSH keys and cloud authentication tokens

• Install malware or cryptominers

• Encrypt, delete, or exfiltrate data

• Move laterally across cloud environments

A table summarizing the vulnerability:

Scale Of The Threat: Millions At Risk

Redis is estimated to run in about 75% of cloud environments, handling tasks from caching to authentication. Wiz Research, who uncovered the flaw, found over 330,000 Redis servers accessible from the public internet at the time of disclosure. Alarmingly, nearly 60,000 had no authentication enabled, a risk amplified by the fact that Redis’s official container images do not require authentication by default.

Hidden behind convenience, many internal deployments are also vulnerable. If attackers breach another system or obtain an initial foothold, unauthenticated Redis servers dramatically ease lateral movement across cloud or enterprise networks.

Patching And Defense Recommendations

Redis maintainers released fixes for all supported versions on October 3, 2025. Organizations are urged to:

1. Upgrade Redis immediately to the newest patched version.

2. Harden configurations:Enable strong authentication on all instancesDisable Lua scripting if not neededRestrict EVAL/EVALSHA commands via ACLsRun Redis as a non-root userPlace Redis behind firewalls or within private networks (VPCs)

3. Monitor for suspicious Lua script usage and newly written binaries which may indicate exploitation attempts.

4. Rotate all credentials and tokens that may have been accessed or stored on at-risk Redis hosts.

Broader Security Lessons

The RediShell revelation highlights the ongoing risks posed by decades-old infrastructure code intertwined with modern cloud systems. Security experts warn that default, insecure deployments remain common even among mission-critical workloads, making rapid response and ongoing patch management essential.

Moving forward, organizations must prioritize both software updates and configuration hardening to guard against further vulnerability exposures in broadly used open-source components like Redis. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• CVSS 10.0 Vulnerability Lets Attackers Run Code Remotely, The Hacker News.

• 13-Year-Old Redis RCE Flaw Lets Attackers Seize Complete Host Control, GBHackers News.

• Researchers Uncover 13-Yr-Old Redis Flaw Impacting 330,000 Instances, The Cyber Express.

• 13-year-old Critical Redis RCE Vulnerability Let Attackers Gain Full Access to Host System, Cyber Security News.