Threat Advisories:
🎧 Hive Force Labs: October First Threat Research
👥 Play Count: Loading...

Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution

Red | Vulnerability Report
Download PDF

Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution

Summary

A critical vulnerability in Redis, tracked as CVE-2025-49844 and dubbed RediShell, exposes all Redis software releases with Lua scripting to remote code execution (RCE). The flaw, discovered on May 16, 2025, originates from a 13-year-old use-after-free bug that allows an authenticated attacker to escape the Lua sandbox and gain full system control.

By submitting a malicious Lua script, attackers can execute arbitrary code on the host, steal credentials, deploy malware, and move laterally across interconnected systems. The flaw impacts all Redis software versions prior to 8.2.2. While Redis Cloud has been patched automatically, self-managed Redis users are urged to upgrade immediately to prevent exploitation.

The RediShell vulnerability is particularly dangerous due to Redis’s widespread adoption in enterprise databases, caching layers, and messaging brokers, making it a prime target for threat actors seeking privileged access and data exfiltration across multi-tenant or cloud environments.


Vulnerability Details

The RediShell vulnerability (CVE-2025-49844) enables remote code execution through a use-after-free memory corruption bug in Redis’s Lua scripting engine, which has existed for over a decade.

Redis, a high-performance in-memory data store, allows Lua scripting by default. Attackers with authenticated access can submit specially crafted Lua scripts that manipulate the garbage collector to trigger memory reuse. This escape from the Lua sandbox grants attackers direct native code execution privileges.

Once exploited, attackers often spawn reverse shells to gain persistent access, steal credentials and secrets such as SSH keys, IAM tokens, and TLS certificates, and use them to move laterally across environments. The resulting compromise can lead to malware deployment, data theft, and cloud account hijacking.

Redis Cloud customers are protected via automated patching, but self-hosted Redis deployments remain vulnerable. Users must upgrade or mitigate immediately by restricting instance access, disabling Lua scripting, rotating credentials, and reviewing logs for anomalies or compromise indicators.

Vulnerability Information:

  • CVE ID: CVE-2025-49844

  • Vulnerability Name: RediShell – Redis Remote Code Execution

  • Affected Products: All Redis releases with Lua scripting (before 8.2.2)

  • CWE ID: CWE-416 (Use-After-Free)

  • CPE: cpe:2.3:a:redis:redis::::::::

  • Impact: Full remote code execution and system compromise


Recommendations

  • Upgrade Immediately: Apply patches to all Redis software releases.

    • Fixed versions: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+

    • Redis OSS/CE/Stack: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+, Stack 7.4.0-v7+

  • Restrict Network Access: Ensure Redis instances are not internet-exposed. Use firewalls or private networks, allowing access only from trusted IPs.

  • Enable Detailed Logging: Activate advanced logs and alerting for Lua-related or unauthorized command activity.

  • Enforce Strong Authentication: Require password authentication for all Redis connections and enable Protected Mode to limit untrusted access.

  • Practice Robust Vulnerability Management: Maintain an updated inventory of Redis deployments, validate patch levels regularly, and ensure third-party integrations meet secure configuration standards.


MITRE ATT&CK TTPs

  • TA0042 Resource DevelopmentT1588, T1588.006 (Obtain Capabilities: Vulnerabilities)

  • TA0002 ExecutionT1059 (Command and Scripting Interpreter)

  • TA0003 PersistenceT1068 (Exploitation for Privilege Escalation)

  • TA0004 Privilege EscalationT1021 (Remote Services)

  • TA0005 Defense EvasionT1497 (Sandbox Evasion)

  • TA0006 Credential AccessT1552, T1552.001 (Credentials in Files)

  • TA0008 Lateral MovementT1021 (Remote Services)

  • TA0010 ExfiltrationT1041 (Exfiltration Over C2 Channel)


References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox