Particle.news
Download on the App Store
3 ARTICLES
·
2h ago

Redis Patches Critical 'RediShell' RCE as Tens of Thousands of Servers Sit Exposed

The flaw abuses Redis’s Lua engine to escape its sandbox, with many public instances lacking authentication.

Redis
13-Year-Old RediShell Vulnerability Puts 60,000 Redis Servers at Risk
Image

Overview

  • CVE-2025-49844, dubbed RediShell, is a use-after-free bug that enables arbitrary native code execution from Lua and carries a CVSS score of 10.0.
  • Redis released fixes across open-source and commercial editions, urging immediate updates to the latest patched branches.
  • Wiz observed about 330,000 internet-exposed Redis instances, including roughly 60,000 without authentication, heightening the risk of remote compromise.
  • Germany’s BSI warned of around 4,000 unauthenticated servers in the country and cautioned that exploitation attempts are likely once details spread.
  • Recommended defenses include disabling Lua via ACLs if not needed, enabling authentication, restricting network access, running as non-root, and monitoring for suspicious activity; no in-the-wild exploitation has been confirmed.