Researchers Uncover 13-Year-Old Redis Flaw Impacting Nearly 330,000 Instances
The bug, tracked as CVE-2025-49844 and nicknamed RediShell, carried a top severity score — 10.0 on the CVSS scale — and affected every Redis release.
An attacker with the ability to submit a Lua script — a capability that Redis supports by default — could trigger the flaw, break out of the embedded Lua interpreter and run arbitrary native code on the host. That sequence let attackers steal credentials. Simultaneously deploy malware and move to other cloud services by using stolen IAM tokens.
Attack flow mapped by researchers followed a familiar but dangerous pattern. An attacker could send a crafted Lua payload exploit and establish a reverse shell, then harvest SSH keys, IAM tokens and certificates before moving laterally.
The post-exploit phase could include installing cryptominers, exfiltrating sensitive keys or encrypting any data for extortion. Because the exploit requires no prior authentication on many default installs, defenders cannot rely on account controls to blunt initial access.
Redis developers moved quickly after responsible disclosure and published advisory and patched the vulnerability.
