Hive Force Labs: October First Threat Research
Play Count: Loading... Hive Force Labs: October First Threat Research Play Count: Loading...A critical vulnerability in Redis, tracked as CVE-2025-49844 and dubbed RediShell, exposes all Redis software releases with Lua scripting to remote code execution (RCE). The flaw, discovered on May 16, 2025, originates from a 13-year-old use-after-free bug that allows an authenticated attacker to escape the Lua sandbox and gain full system control.
By submitting a malicious Lua script, attackers can execute arbitrary code on the host, steal credentials, deploy malware, and move laterally across interconnected systems. The flaw impacts all Redis software versions prior to 8.2.2. While Redis Cloud has been patched automatically, self-managed Redis users are urged to upgrade immediately to prevent exploitation.
The RediShell vulnerability is particularly dangerous due to Redis’s widespread adoption in enterprise databases, caching layers, and messaging brokers, making it a prime target for threat actors seeking privileged access and data exfiltration across multi-tenant or cloud environments.
The RediShell vulnerability (CVE-2025-49844) enables remote code execution through a use-after-free memory corruption bug in Redis’s Lua scripting engine, which has existed for over a decade.
Redis, a high-performance in-memory data store, allows Lua scripting by default. Attackers with authenticated access can submit specially crafted Lua scripts that manipulate the garbage collector to trigger memory reuse. This escape from the Lua sandbox grants attackers direct native code execution privileges.
Once exploited, attackers often spawn reverse shells to gain persistent access, steal credentials and secrets such as SSH keys, IAM tokens, and TLS certificates, and use them to move laterally across environments. The resulting compromise can lead to malware deployment, data theft, and cloud account hijacking.
Redis Cloud customers are protected via automated patching, but self-hosted Redis deployments remain vulnerable. Users must upgrade or mitigate immediately by restricting instance access, disabling Lua scripting, rotating credentials, and reviewing logs for anomalies or compromise indicators.
Vulnerability Information:
CVE ID: CVE-2025-49844
Vulnerability Name: RediShell – Redis Remote Code Execution
Affected Products: All Redis releases with Lua scripting (before 8.2.2)
CWE ID: CWE-416 (Use-After-Free)
CPE: cpe:2.3:a:redis:redis::::::::
Impact: Full remote code execution and system compromise
Upgrade Immediately: Apply patches to all Redis software releases.
Fixed versions: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+
Redis OSS/CE/Stack: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+, Stack 7.4.0-v7+
Restrict Network Access: Ensure Redis instances are not internet-exposed. Use firewalls or private networks, allowing access only from trusted IPs.
Enable Detailed Logging: Activate advanced logs and alerting for Lua-related or unauthorized command activity.
Enforce Strong Authentication: Require password authentication for all Redis connections and enable Protected Mode to limit untrusted access.
Practice Robust Vulnerability Management: Maintain an updated inventory of Redis deployments, validate patch levels regularly, and ensure third-party integrations meet secure configuration standards.
TA0042 Resource Development – T1588, T1588.006 (Obtain Capabilities: Vulnerabilities)
TA0002 Execution – T1059 (Command and Scripting Interpreter)
TA0003 Persistence – T1068 (Exploitation for Privilege Escalation)
TA0004 Privilege Escalation – T1021 (Remote Services)
TA0005 Defense Evasion – T1497 (Sandbox Evasion)
TA0006 Credential Access – T1552, T1552.001 (Credentials in Files)
TA0008 Lateral Movement – T1021 (Remote Services)
TA0010 Exfiltration – T1041 (Exfiltration Over C2 Channel)
Get through updates and upcoming events, and more directly in your inbox
