{"id":5242,"date":"2025-10-07T20:45:54","date_gmt":"2025-10-07T20:45:54","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5242"},"modified":"2025-10-07T20:45:54","modified_gmt":"2025-10-07T20:45:54","slug":"10-0-severity-rce-flaw-puts-60000-redis-instances-at-risk","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5242","title":{"rendered":"10.0-severity RCE flaw puts 60,000 Redis instances at risk"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The popular Redis in-memory data store received a patch for a critical vulnerability that leads to remote code execution on the server hosting the database. While the flaw requires authentication to exploit, many Redis instances don\u2019t have authentication configured and around 60,000 of them are exposed to the internet in this configuration.<\/p>\n

\u201cGiven that Redis is used in an estimated 75% of cloud environments, the potential impact is extensive,\u201d researchers from Wiz who found the flaw said in a report<\/a>. \u201cOrganizations are strongly urged to patch instances immediately by prioritizing those that are exposed to the internet.\u201d<\/p>\n

The vulnerability, identified as CVE-2025-49844<\/a> or RediShell, is a use-after-free memory corruption bug that has existed in the Redis code base for around 13 years. It was discovered by\u00a0 Wiz researchers and used in the Pwn2Own Berlin contest<\/a> in May.<\/p>\n

Redis has fixed the flaw, along with three other vulnerabilities \u2014 CVE-2025-46817<\/a>, CVE-2025-46818<\/a>, and CVE-2025-46819<\/a> \u2014 in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, which were released on Oct. 3.<\/p>\n

Escaping the Lua script sandbox<\/h2>\n

Aside from being a data store, Redis allows users to execute scripts written in the Lua programming language. This powerful feature allows applications to execute some of their data-related logic directly inside the database, improving performance.<\/p>\n

The Lua scripts are executed inside a sandbox, but CVE-2025-49844 allows attackers to escape that constraint and execute arbitrary code directly on the underlying server. Because of this, the vulnerability has received the highest severity rating of 10 on the CVSS scale.<\/p>\n

In the proof-of-concept attack demonstrated by Wiz, the attackers exploit this vulnerability to start a reverse shell that allows them to execute additional commands. This can lead to credential theft from the environment, such as SSH keys, AWS IAM tokens, and certificates. It can also lead to malware and cryptominer deployment.<\/p>\n

Lack of Redis authentication is a widespread issue<\/h2>\n

While Redis supports authentication, it is often deployed without it, especially on internal networks, but also on the internet. For example, the Wiz researchers note that in 57% of cloud environments, Redis is deployed as a container image and the official Redis container on Docker Hub does not have authentication enabled by default.<\/p>\n

\u201cThe combination of no authentication and exposure to the internet is highly dangerous, allowing anyone to query the Redis instance and, specifically, send Lua scripts (which are enabled by default),\u201d the researchers note. \u201cThis enables attackers to exploit the vulnerability and achieve RCE within the environment.\u201d<\/p>\n

Around 300,000 Redis instances are exposed to the internet and an estimated 60,000 of them do not have authentication turned on. Many more are likely deployed on internal networks without additional security hardening, where any internal hosts can connect to them.<\/p>\n

Redis servers are a common target<\/a>, along with other cloud-native technologies, for groups that deploy cryptominers on servers<\/a>. In the past other Redis Lua sandbox escape vulnerabilities \u2014 such as CVE-2022-0543, which specifically impacted the Debian Redis package \u2014 were exploited by peer-to-peer worms<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The popular Redis in-memory data store received a patch for a critical vulnerability that leads to remote code execution on the server hosting the database. While the flaw requires authentication to exploit, many Redis instances don\u2019t have authentication configured and around 60,000 of them are exposed to the internet in this configuration. \u201cGiven that Redis […]<\/p>\n","protected":false},"author":0,"featured_media":5243,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5242","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5242"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5242"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5242\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5243"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}