A critical vulnerability buried in Redis for over a decade (13 years to be exact!) has come to light and the scale of exposure is nothing short of staggering. Dubbed RediShell, this bug allows attackers to execute code directly on Redis servers, offering a fast track to full system takeover.
With Redis embedded in three-quarters of cloud environments, this is a foundational issue. Here's what every IT and security leader needs to know right now.
1. A Decade-Old Bug Is Now a Cloud-Scale ThreatThe RediShell vulnerability (CVE-2025-49844) is the result of a use-after-free memory corruption flaw in Redis’s Lua scripting engine, present since 2012. This quiet flaw remained undetected for 13 year, until Wiz Research exposed how attackers can use it to escape the Lua sandbox and run native code on the host (Wiz, 2025). It earned a CVSS score of 10.0, the highest possible, and it marks the first Redis bug to ever hit that ceiling.
2. Over 330,000 Systems Are Sitting Wide Open
Wiz’s investigation uncovered more than 330,000 Redis instances exposed to the public internet. Over 60,000 of these require no authentication. Even more concerning: 57% of Redis environments are deployed using container images that often skip basic hardening. The default Redis container ships with no password protection and Lua scripting fully enabled, making it a dream target for attackers scanning the web
3. Exploiting It Means Total Takeover
Once an attacker gains access, the path to full system control is alarmingly straightforward. A malicious Lua script exploits the memory flaw, breaks the sandbox, and grants the attacker command execution on the host. From there, they can steal credentials, plant malware, siphon off data, hijack cloud services, or pivot into more sensitive systems. The attack chain is surgical and truly devastating.
4. Patches Are Available, but Time Is Short
Redis has already issued patched versions across its commercial, open-source, and Redis Stack lines. Updating is essential going forward, but it’s just the start. Organizations must also enable authentication, run Redis under non-root privileges, limit access via firewalls or VPCs, and disable Lua scripting if not absolutely necessary. Logging and monitoring should be activated to detect signs of exploitation..
5. This Is a Red Flag for Cloud Dependency on Open Source
RediShell exposes a broader risk embedded into the structure of cloud infrastructure: heavy reliance on aging open-source code. Redis is fast and powerful, but this flaw highlights how easily default configurations and legacy bugs can turn foundational tools into high-risk assets. That’s why Wiz and other security firms are investing in ZeroDay.Cloud, a community-led initiative to proactively surface threats buried in cloud-critical software.
The Bottom Line
RediShell offers attackers a straight line into some of the most widely used cloud systems on Earth. Every Redis instance running Lua scripting should be considered at risk. The fix exists, but waiting increases exposure. In the world of cloud security, speed matters. Patch fast, harden systems, and don’t assume your containers are safe by default.