SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Illustration large cloud servers red warning symbol digital network breach
#
Malware
#
Cloud Security
#
Breach Prevention

Critical Redis flaw threatens 330,000 cloud systems globally

Thu, 9th Oct 2025
Author image
By Shannon Williams, Journalist

Wiz Research has identified a critical Remote Code Execution (RCE) vulnerability in Redis that has been present in the source code for over a decade, impacting all versions of the widely used database technology.

The newly discovered vulnerability, designated CVE-2025-49844 and nicknamed 'RediShell', has been assigned a Common Vulnerability Scoring System (CVSS) score of 10.0, indicating the highest severity possible. Redis is estimated to be present in 75% of cloud environments, which significantly broadens the potential risk associated with the flaw.

Vulnerability background

According to Wiz Research, RediShell is the result of a Use-After-Free (UAF) memory corruption bug that has persisted in the Redis codebase for approximately 13 years. This bug enables attackers who have gained access, or operate in environments where no authentication is required, to deploy a malicious Lua script that breaks out of the intended sandbox, achieving arbitrary code execution on the server host.

This level of access may allow attackers to exfiltrate, erase, or encrypt sensitive data, commandeer system resources, and move laterally within affected cloud networks.

Wiz Research stated: "Given that Redis is used in an estimated 75% of cloud environments, the potential impact is extensive. Organisations are strongly urged to patch instances immediately by prioritizing those that are exposed to the internet."

A patched version of Redis is now available, and users are advised to upgrade as a priority, especially for Redis deployments accessible via the internet or lacking authentication. Wiz Research commented on Redis's response to the disclosure: "We extend our gratitude to the entire Redis team for their collaboration throughout the disclosure process. We greatly appreciate their transparency, responsiveness, and partnership during this engagement."

Deployment and exposure statistics

The impact of the vulnerability is heightened by common Redis deployment practices. Wiz Research's survey found that approximately 330,000 Redis instances are exposed to the public internet, with an estimated 60,000 lacking any authentication mechanism. Additionally, 57% of cloud environments run Redis as container images-many of which are not properly hardened from a security standpoint. The official Redis container image does not require authentication by default, which can leave systems especially vulnerable if exposed externally.

Wiz Research's assessment highlighted: "Our analysis across cloud environments revealed the extensive scope of this vulnerability: Approximately 330,000 Redis instances are exposed to the internet at the time of this blog post. About 60,000 instances have no authentication configured. 57% of cloud environments install Redis as container images, many without proper security hardening."

Attack flow and potential impact

The technical attack sequence involves sending a specifically crafted Lua script to exploit the UAF vulnerability, escaping the Lua sandbox, gaining arbitrary code execution, and then establishing persistent access to the host, such as through a reverse shell. Attackers may then steal credentials including SSH keys, IAM tokens, or certificates, install malware, exfiltrate sensitive data, and attempt lateral movement within cloud networks.

Wiz Research explained: "The urgency with which you should address this vulnerability depends on how Redis was installed and its exposure level." They further cautioned, "Critical Risk - Internet-Exposed + Unauthenticated: The combination of no authentication and exposure to the internet is highly dangerous, allowing anyone to query the Redis instance and, specifically, send Lua scripts (which are enabled by default). This enables attackers to exploit the vulnerability and achieve RCE within the environment."

The research team also warned about internal risk: "High Risk - Internal Network Exposure: More Redis instances are exposed to internal networks where authentication may not be prioritized, allowing any host in the local network to connect to the database server. An attacker with a foothold in the cloud environment could gain access to sensitive data and exploit the vulnerability to run arbitrary code for lateral movement into sensitive networks."

Recommendations and mitigation steps

Wiz Research has provided a number of recommended actions for organisations using Redis, aimed at reducing the potential impact of exploitation. These include:

  • Upgrading Redis to the latest patched version, with special focus on instances exposed to the internet or lacking authentication
  • Enabling authentication with the 'requirepass' directive
  • Disabling Lua scripting if not required, either by revoking user scripting permissions or disabling scripting commands
  • Running Redis with non-root privileges
  • Enabling logging and monitoring for Redis activity
  • Implementing network-level controls, such as firewalls and restricting access to authorised networks only

The team stressed:

"We recommend that all Redis users upgrade their instances immediately, as this vulnerability poses a significant risk."

Industry context

This vulnerability is notable not only for its technical severity and the potential scale of affected systems, but also because it highlights ongoing reliance on open source technologies within cloud infrastructure. Wiz Research stated: "This vulnerability also highlights how deeply today's cloud environments depend on open-source technologies like Redis. That shared reliance is what motivated us, alongside other cloud providers, to launch ZeroDay.Cloud, a community-driven effort to identify and responsibly disclose critical zero-day vulnerabilities in the open-source software powering the cloud. Redis, along with other core open-source technologies, is part of that effort."

The full technical analysis, including the specific attack flow and further security recommendations, will be published by Wiz Research in a subsequent publication, allowing affected organisations time to apply mitigation steps first. Wiz Research will continue to monitor the threat landscape and update the community with additional information as it becomes available. The team concluded, "This research was conducted by the Wiz Research team. We thank the Redis security team for their professional handling of this disclosure and their commitment to user security."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency
Australians warned over AI-driven scams ahead of Christmas sales
SentinelOne & AWS enhance AI security with new integrations
Fortinet reports strong Q3 revenue growth & SASE adoption surge

Top stories

Hexaware boosts cybersecurity with strategic CyberSolve acquisition
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion
Drata appoints Aneal Vallurupalli as CFO amid global expansion
Ping Identity launches platform to secure & manage AI agents