13-Year-Old RediShell Vulnerability Puts 60,000 Redis Servers at Risk

A new vulnerability in Redis, now known as RediShell (CVE-2025-49844), has put tens of thousands of servers at risk of remote compromise. The flaw, rated with a maximum CVSS score of 10.0, has existed unnoticed in Redis code for over a decade and is now being called one of the most serious issues ever found in the open-source database.

The issue lies in a use-after-free bug in Redis’s Lua interpreter, which can be exploited through a malicious Lua script. Attackers can escape the interpreter’s sandbox and run arbitrary code on the host system. This level of access can allow theft of data, installation of malware, or the use of compromised servers for additional attacks.

Cybersecurity researchers from Wiz, who found the issue, estimate that about 330,000 Redis instances are currently exposed to the internet, with roughly 60,000 running without any authentication. Redis is commonly used in cloud environments for caching and session management, which means the reach of this vulnerability is far greater than typical software bugs.

The Redis team responded quickly, releasing a patched version and a security advisory on October 3. Wiz researchers had privately reported the issue in May after identifying it during Pwn2Own Berlin. The disclosure process was handled collaboratively, with Redis engineers coordinating fixes before public release.

The risk varies depending on how Redis is deployed. Instances exposed directly to the internet without authentication face the highest danger. In those setups, anyone could connect and run Lua scripts remotely, which provides a direct path for exploitation.

Even within internal networks, the bug poses significant exposure if authentication is weak or absent, as attackers already inside a corporate environment could exploit it for lateral movement.

Wiz’s analysis shared with Hackrad.com found that 57% of Redis deployments in cloud environments run as container images. Many of these containers are deployed without proper access controls or configuration checks, making them particularly vulnerable.

If exploited, an attacker could send a crafted Lua script to trigger the memory corruption, escape the sandbox, and establish full control over the host. Once inside, they could exfiltrate credentials, install miners or backdoors, and use stolen tokens to move across connected cloud systems.

Researchers are urging all Redis users to upgrade to the latest version and verify their configurations. Enabling authentication, disabling Lua scripting when not needed, restricting network access, and running Redis under a non-root account are key mitigation steps. Logging and monitoring should also be turned on to detect unusual activity.

“This newly disclosed Redis vulnerability is a reminder that technical debt doesn’t just live in code; it lives in configuration. Thirteen years of latent risk surfaced because default settings and weak segmentation went unobserved,” said Anders Askasen, VP of Product Marketing at Radiant Logic.

When foundational services like Redis run unauthenticated or exposed, they create invisible attack paths that can pivot directly into identity and access systems,” he added. “The answer isn’t just patching faster but seeing sooner. Identity observability provides the real-time visibility, control, validation, and remediation needed to uncover these blind spots before attackers do.”

The RediShell vulnerability shows how much modern infrastructure depends on open-source software and how old code can carry hidden risks for years. Redis is used by more than three-quarters of cloud environments, so patching and tightening security configurations should be treated as an immediate priority.