RediShell: Critical RCE Vulnerability in Redis (CVE-2025-49844)

Executive Summary

A critical security vulnerability has been discovered in Redis, a widely used database and caching system. CVE-2025-49844, dubbed “RediShell,” is a use-after-free (UAF) vulnerability inside Redis’s Lua scripting engine, is present in all major versions of Redis, and has been assigned a CVSS score of 9.9. Threat actors can attack this vulnerability if they have authenticated access to a target Redis server, or if they discover a Redis server that is configured by default without authentication. Once a suitable target is found, the attack chain involves sending a maliciously crafted Lua script (a widely used Redis feature) to exploit the vulnerability.

Redis has become a key component in modern application architectures, often being leveraged as a solution to cache sensitive data, pass messages between software components, and storeand store user authentication session data. If compromised, an attacker can leverage the data stored in Redis to gather sensitive information, impersonate users, or leverage the system where Redis is running to establish a foothold into an organization’s environment.

This vulnerability has been assigned score of 9.9 on the CVSS scale, likely due to the to the fact that Redis’ default configuration does not require authentication. The vulnerability has reportedly existed in Redis for almost 13 years, affecting all versions except those presently patched and listed below as “fixed.”

Affected implementations pose immediate risk to organizations where Redis is embedded in their environment, especially where no authentication is enabled, which is the default configuration.

Although there is no confirmed exploitation in the wild at the time of this writing, Beazley Security expects that disclosure of the vulnerability will enable threat actors to develop exploits and recommends immediate patching of impacted systems to prevent compromise and data theft.

Affected Systems and Products

All Redis versions with Lua scripting are impacted. Redis released patches for CVE-2025-49844 on October 3, 2025. Please see the Patches section for more information.

Software	Affected Versions	Fixed Versions
All Redis Software Releases	All software prior to fixed versions	7.22.2-12 and above 7.8.6-207 and above 7.4.6-272 and above 7.2.4-138 and above 6.4.2-131 and above
All Redis OSS/CE/Stack releases with Lua scripting	All software with Lua scripting prior to fixed versions	8.2.2 and above 8.0.4 and above 7.4.6 and above 7.2.11 and above 7.4.0-v7 and above 7.2.0-v19 and above

‍

Mitigations and Workarounds

Beazley Security strongly recommends affected organizations apply the released patches for this critical severity vulnerability to ensure their Redis deployments are protected. For systems that cannot be immediately patched, the following compensating controls have been provided by Redis to help reduce associated risk:

Restrict network access with firewalls and network rules to limit exposure to trusted networks only. Ensure the Redis default port 6379 is not exposed to the internet and restrict access to only specific application servers that require a connection.
Enforce passwords with requirepass and do not use configurations that allow unauthenticated access to perform queries.
Do not run Redis as a root user and limit privileges to reduce impacts in case of compromise. Monitor activity for unusual Lua script execution and anomalous traffic.

Other hardening guidance is provided in the Redis documentation here.

Patches

For Redis customers using the Redis Cloud service, fixes have already been deployed, and no action is required according to the official vendor advisory.

If hosting self-managed enterprise Software or Community versions of Redis, customers will need to upgrade to the latest release to fix this vulnerability.

Indicators of Compromise (IOC)

At the time of this advisory, Redis has stated there is no evidence of exploitation for this vulnerability. However, they have provided the following behavioral indicators of compromise to monitor for:

Access to Redis databases from unauthorized or unknown sources
Unexpected network traffic to Redis databases
Unknown or unexpected use of Redis scripting commands
Unknown or unexpected scripts present in Redis databases
Redis server crashes, specifically tracing back to the Lua engine
Unknown, unexpected, or anomalous command executions by the redis-server user
Unexpected network traffic sourcing from Redis databases
Unexpected changes to the filesystem, especially directories that host Redis configuration files

Technical Details

CVE-2025-49844 is a critical RCE vulnerability in Redis with a CVSS score of 9.9. At the time of this writing, there have been no public reports of exploitation against this vulnerability in Redis Cloud or in other environments. According to the original researchers at Wiz responsible for disclosing the flaw, it is believed that Redis is embedded in around 75% of cloud environments to date. With public release of the flaw, Beazley Security assesses that exposed and vulnerable Redis instances deployed with default configurations (no authentication required) are at risk of exploitation in the near future.

The vulnerability is documented as a UAF memory corruption flaw that has existed for approximately 13 years in the Redis source code and could allow an “authenticated” attacker to send a malicious Lua script that escapes sandboxing. The result of a successful attack would result in the ability for a remote attacker to execute code natively on an affected Redis host.

Although there is no public proof-of-concept exploit code at the time of this advisory, high-level exploitation and post-exploitation activity have been documented by previously mentioned Wiz researchers and include the following:

Attacker obtains credentials or finds instance without authentication enabled.
Attacker submits malicious Lua script to abuse vulnerability by manipulating garbage collector, corrupting memory in a controlled way to escape sandboxing and allow native code execution on system.
Attacker runs remote code on affected server to spawn an attacker-controlled shell, deploy a backdoor, and exfiltrate data.
Attacker extracts data and credentials to move laterally and persist access.

Because successful exploitation could leverage scripting features to achieve full host takeover, the vulnerability is scored critical and affects all Redis builds including Lua scripting functionality until patched.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team