Particle.news
Download on the App Store
4 ARTICLES
·
2d ago

Critical 'RediShell' Bug in Redis Gets Fix as Tens of Thousands Remain Exposed

Researchers warn internet‑facing, unauthenticated deployments could be targeted quickly unless systems are updated.

Redis
13-Year-Old RediShell Vulnerability Puts 60,000 Redis Servers at Risk
Image

Overview

  • Tracked as CVE-2025-49844 with a CVSS score of 10.0, the use‑after‑free flaw in Redis’s embedded Lua engine lets a post‑authentication script escape the sandbox and execute arbitrary code on the host.
  • Redis released patches across open‑source, Stack and commercial editions, including versions 6.2.20, 7.2.11, 7.4.6, 8.0.4 and 8.2.2, and advised disabling Lua/EVAL via ACLs if updates cannot be applied immediately.
  • Wiz estimates roughly 330,000 Redis instances are exposed online and about 60,000 lack authentication, with many container deployments using images that disable auth by default and account for about 57% of cloud use.
  • Germany’s BSI warned that around 4,000 unauthenticated Redis servers are exposed in the country and said exploitation attempts are likely soon as researchers withhold technical details for now.
  • Reports say there is no confirmed in‑the‑wild exploitation yet, and administrators are urged to enable authentication, restrict network access, run Redis as non‑root, and monitor logs for suspicious behavior.