The RediShell RCE vulnerability, a critical cumulative flaw in Redis’s Lua scripting engine, was publicly disclosed in early October 2025. CVE-2025-49844 — dubbed “RediShell” by Wiz — is a use-after-free vulnerability that can escape the Lua sandbox and enable host-level remote code execution (RCE).
Redis and security researchers have urged immediate patching, as the vulnerability is considered critical or near-critical in severity.
RediShell RCE Vulnerability (CVE-2025-49844) Overview
RediShell (CVE-2025-49844) is a use-after-free memory corruption in Redis’s Lua interpreter. A specially crafted Lua script can manipulate the garbage collector’s behavior to escape the sandbox and enable native code execution. The vulnerable code path dates back to around 2012, putting many Redis builds with Lua scripting enabled at risk. In publicly exposed instances with authentication disabled, automated scanning alone can enable exploitation—making immediate mitigation essential.
RediShell RCE Vulnerability Analysis Using Criminal IP Asset Search
By running the query “product: Redis” in Criminal IP Asset Search, you can quickly identify Redis instances exposed to the internet.
Criminal IP Search Query: “product: Redis”
As of October 27, 2025, a total of 59,755 Redis instances were identified on Criminal IP. The United States accounted for the largest number with 11,863 instances, followed by China (6,473) and France (5,012).
Additionally, by using the cve_id filter, you can narrow the search to detect only the instances affected by a specific vulnerability.
Criminal IP Search Query: “cve_id: CVE-2025-49844”
Running the query “cve_id:CVE-2025-49844” reveals 8,500 instances worldwide as of October 27, 2025. This suggests that a large number of devices remain unpatched and exposed to the internet, underscoring the need for immediate security action.
Notably, many instances are flagged as “Dangerous” or “Critical” under the Inbound category. This designation indicates that the Redis instance is directly reachable via public routes, allowing attackers to discover vulnerable servers through automated scanning and deliver malicious Lua scripts to achieve host-level compromise. (This functionality is available starting from the Criminal IP Starter plan.)
RediShell RCE Vulnerability by Country — Criminal IP Element Analysis
Clicking the “More” button in the lower-right of the search results reveals country-level Element Analysis data in addition to the basic search results.
According to Criminal IP Element Analysis, instances affected by the RediShell RCE are concentrated in the United States (1,887), France (1,324), and Germany (929); together, three countries account for over 50% of the total exposure.
This suggests that Redis infrastructure is heavily concentrated in certain regions, or that a relatively large number of unauthenticated instances have been found within public infrastructure in these countries. In addition, South Korea ranked 17th globally, with a total of 73 exposed instances detected.
RediShell RCE Vulnerability: Additional Analysis of Specific IP Addresses
On Criminal IP’s IP Report page, you can view detailed information for a specific IP address — including which vulnerabilities affect it, any exploitation history, open ports, geolocation, WHOIS records, and other relevant details.
When clicking one of the IPs returned by the query cve_id: CVE-2025-49844, the host was found to have 15 open ports and 12 detected vulnerabilities.
Among these, the exposure of port 6379 (Redis) was identified as a primary target for inspection, as it is directly linked to the RediShell vulnerability. Simultaneously, port 3306 (MySQL) has several CVEs mapped to it, suggesting a potential database exposure and vulnerability. This host is in a state of compound exposure, with multiple ports and services exposed simultaneously, carrying the risk that the scope of impact could significantly expand if a single vulnerability is exploited.
RediShell RCE Vulnerability Exploitation Scenario
The typical flow for an attacker to exploit RediShell and take control of the entire system is as follows:
- Initial Compromise
The attacker exploits the use-after-free vulnerability by sending a specially crafted malicious Lua script to Redis. - Sandbox Escape
The malicious script escapes the boundaries of the Lua sandbox to achieve arbitrary native code execution. - Secure Persistent Access
The attacker installs a reverse shell or plants a backdoor to secure persistent remote access. - System Damage
The attacker steals credentials (e.g., SSH keys, IAM tokens, certificates) from the host and services, installs malware or cryptominers, and exfiltrates sensitive data from both Redis and the host. - Lateral Movement
Using the stolen credentials, such as IAM tokens, the attacker expands access to other cloud services or systems, escalates privileges, and compromises additional systems.
This scenario suggests that the RediShell vulnerability can lead to full host compromise, going beyond a simple process crash. Therefore, initial detection and blocking, along with authentication, network segmentation, and continuous monitoring, are crucial.
Recommendations for RediShell RCE Vulnerability Response
- Apply Patches
Immediately upgrade to a version patched against the vulnerability, as recommended in the official Redis security advisory. For systems where patching is delayed, apply temporary mitigations in parallel and establish an expedited patching schedule. - Enable Authentication
Enable AUTH or ACL to require authentication for all connections. Instances deployed with default images and authentication disabled should be prioritized for review. - Block Unnecessary Commands
Disable or remove Lua execution commands such as EVAL and EVALSHA from permissions if they are not required, to reduce the attack surface. Before applying this change, verify whether any legitimate services depend on these commands. - Network Blocking and Access Restriction
Block Redis ports (default 6379) directly accessible from the public internet using a firewall or security group, and configure Redis to be accessible only through authorized application subnets, VPNs, or Bastion hosts. - Continuous Detection and Monitoring
Use a threat intelligence solution like Criminal IP to continuously monitor for internet exposure and the status of unpatched/unauthenticated instances, and to constantly detect any anomalous activity.
FAQ
Q1. How can I quickly check if our environment is actually affected?
To check the impact, it is crucial to first examine your Redis version and installation location. For internal networks, confirm if the version is 8.2.1 or below. For external networks, you can utilize an Attack Surface Management (ASM) tool like Criminal IP to discover exposed instances using the queries product:Redis or cve_id:CVE-2025-49844.
It is particularly recommended to include instances where port 6379 is open to the outside or where authentication is not configured as primary inspection targets.
Q2. If we cannot apply the patch immediately, which mitigation measures should we prioritize?
If patch application is delayed, enabling authentication features (AUTH/ACL) and restricting network access are the most effective defensive measures. It is recommended to block the Redis port (default 6379) from the public internet and configure access to be possible only through internal networks or a VPN.
Additionally, by restricting Lua script execution commands (EVAL, EVALSHA), you can minimize the attack surface, significantly reducing the likelihood of exploitation even before the patch is applied.
Q3. How should we respond if a compromise is suspected?
If a compromise is suspected, the immediate priority is to isolate the host from the network and secure forensic material, including processes, logs, and network traffic. Subsequently, it is recommended to revoke and replace credentials, such as SSH keys or API tokens, and restore the system either by redeploying it with a clean image or by applying the latest patches.
If necessary, it is recommended to correlate SIEM or EDR logs with threat intelligence platforms such as Criminal IP to check for any signs of further compromise or lateral spread.
Conclusion
The RediShell RCE vulnerability (CVE-2025-49844) is a critical flaw that goes beyond a simple process crash, posing a very high risk of immediate RCE exploitation in environments without authentication or those exposed to the public internet.
The response priorities are clear: Patching should be the absolute priority. Before and after patching, it must be supplemented with Enabling Authentication (AUTH/ACL) → Network Isolation (Public Blocking) → EVAL Restriction → Continuous Detection and Monitoring. Particularly in a “compound exposure” situation where Redis is exposed alongside other services like DB, FTP, and web services on a single host, an integrated response is required to simultaneously inspect and remediate vulnerabilities in each service. Only by combining rapid patching and mitigation with constant monitoring using threat intelligence solutions like Criminal IP can large-scale damage caused by RediShell be prevented.
In relation to this, you can refer to Oracle EBS CVE-2025-61884: Runtime UI Exposes Configuration Data.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Sources: Criminal IP (https://www.criminalip.io), HELP NET SECURITY (https://www.helpnetsecurity.com/2025/10/07/redis-patches-critical-redishell-rce-vulnerability-update-asap-cve-2025-49844/)
Related Article: https://www.criminalip.io/knowledge-hub/blog/30382