Ancient, critical "RediShell" bug menaces thousands of servers

Security research firm Wiz is strongly urging organisations to patch a very serious vulnerability in the Redis database that, if exploited, can grant attackers full access to host systems.

Furthermore, Wiz warned that a successful attack could allow attackers to exfiltrate, wipe or encrypt sensitive data, hijack resources and enable lateral movement with cloud environments.

A memory corruption bug that's been in the Redis source code for around 13 years is to blame for the vulnerability.

An authenticated attacker could exploit it with a script written in the Lua language, which Redis supports by default, and achieve arbitrary native code execution on the target host.

The age of the bug means that all Redis software releases are impacted.

"Given that Redis is used in an estimated 75 percent of cloud environments, the potential impact is extensive," Wiz said.

Wiz estimated that around 330,000 Redis instances are exposed to the Internet, with some 60,000 having no authentication configured.

The security firm also said that 57 percent of cloud environments install Redis as container images, with many of them not having proper security hardening.

Wiz notified Redis in May this year, at the Pwn2Own security conference in Berlin, Germany.

A patch has now been issued for the vulnerability, tracked as CVE-2025-49844, by Redis.

Admins should also restrict network access to Redis databases with firewalls and policies, enforce strong authentication, and limit permissions.

Redis is an acronym for Remote Dictionary Server.

It is an open-source NoSQL database that stores information in system memory as opposed to disk storage.

This provides high read and write speeds, making Redis a favoured choice for cloud applications such as caching, session management, and real-time analytics which demand performance and low-latency responsiveness.

Wiz is currently being acquired by Google's parent company Alphabet in a massive, US$32 billion all-cash deal.