A critical remote code execution (RCE) vulnerability in Redis—tracked as CVE-2025-49844 has exposed a dangerous flaw in the official Redis container image that has gone unnoticed for over a decade.
The flaw enables unauthenticated attackers to exploit a use-after-free vulnerability in Redis’s Lua scripting engine, allowing them to achieve arbitrary code execution on the host system.
With the official Redis image deployed in 57% of cloud environments and defaulting to no authentication, internet-exposed instances are trivial targets for threat actors, while internal deployments relying on convenience over security face heightened risks for lateral movement and privilege escalation.
Widespread Deployment and Default Insecurity
Redis is ubiquitous in modern infrastructures, powering caching layers, message brokers, and session stores across cloud and on-premises environments.
According to recent research, the official Redis container image is deployed in 57% of cloud setups and, by default, does not enforce authentication.
This configuration exposes Redis instances directly to the internet without any access controls, creating a severe attack surface.
Internal networks are not immune: administrators often disable authentication for ease of maintenance, allowing attackers who gain initial access to pivot through networks by exploiting unprotected Redis servers.
Dubbed “RediShell” by researchers, the exploitation process begins when attackers send specially crafted Lua scripts targeting the use-after-free vulnerability in Redis’s sandbox.
These malicious scripts circumvent the sandboxing mechanisms, triggering memory corruption that enables arbitrary code execution on the underlying host.
Once control is established, adversaries can execute a full compromise sequence, including stealing SSH keys, IAM tokens, and certificates; installing persistent backdoors or cryptocurrency miners; and deploying reverse shells for long-term access.
This attack chain underscores the potential for attackers to escalate privileges and move laterally within networks.
Disclosure Timeline and Urgency
CVE-2025-49844 was first reported at the Pwn2Own Berlin security contest on May 16, 2025, demonstrating how long organizations have operated with this critical flaw unknowingly.
Redis Labs officially published a security advisory on October 3, 2025, alongside patched versions to address the vulnerability.
Notably, this is the first Redis vulnerability assigned a critical severity rating and one of fewer than 300 vulnerabilities given a maximum CVSS score in the past year.
The high severity reflects both the ease of exploitation and the widespread deployment of Redis.
Organizations worldwide must prioritize updating Redis instances immediately.
Applying the patched Redis container image and enabling robust authentication measures are essential first steps.
Failure to remediate promptly could result in severe data breaches, system takeovers, and persistent network compromises.
| CVE Identifier | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-49844 | Official Redis container image ≤ 7.0.20 | Arbitrary code execution on host system | Internet-exposed or internal Redis with no authentication | 10.0 |
Organizations must treat CVE-2025-49844 as an urgent security priority and implement remediation measures without delay.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=The flaw allows unauthenticated attackers to exploit a use-after-free bug in Redis’s Lua scripting engine, achieving arbitrary code execution on the host system.){kind=link}