Redis, a widely used in-memory database, has disclosed a critical security vulnerability identified as CVE-2025-49844, also known as RediShell, with a CVSS score of 10.0. This vulnerability is a use-after-free (UAF) memory corruption bug in the Lua scripting engine embedded in Redis, present for approximately 13 years across all versions. The flaw allows an authenticated attacker to craft a malicious Lua script that manipulates the garbage collector to trigger the UAF condition, escaping the Lua sandbox and executing arbitrary native code on the Redis host. This leads to full system compromise, enabling attackers to exfiltrate data, deploy malware, hijack resources, or move laterally within cloud environments. Exploitation requires prior authentication, but many Redis instances are exposed on the internet, with around 60,000 lacking any authentication, making them vulnerable to unauthorized access. Redis has released patches in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 to address this issue. Until patches can be applied, administrators are advised to restrict Lua script execution by disabling EVAL and EVALSHA commands via access control lists (ACLs) and ensuring only trusted users can execute scripts. The vulnerability poses a significant threat due to Redis's widespread use, default insecure configurations, and the critical nature of the flaw. Although no active exploitation has been reported, the potential for cryptojacking, data breaches, and botnet enlistment is high, necessitating immediate remediation.

For European organizations, this vulnerability presents a severe risk to confidentiality, integrity, and availability of critical data and systems. Redis is commonly used in cloud and on-premises environments for caching, session management, and real-time data processing, making it a high-value target. Successful exploitation could lead to unauthorized data access, data loss, ransomware deployment, or disruption of services. The ability to execute arbitrary code on the host system could allow attackers to pivot to other internal systems or cloud services, amplifying the impact. Organizations with Redis instances exposed to the internet or with weak authentication controls are particularly vulnerable. The threat is exacerbated in sectors with sensitive data such as finance, healthcare, and government services prevalent in Europe. Additionally, the potential for cryptojacking or botnet recruitment could degrade system performance and increase operational costs. The widespread deployment of Redis and the long-standing nature of the flaw mean many organizations may be unknowingly exposed, increasing the urgency for patching and mitigation.

1. Immediately apply the official Redis patches released on October 3, 2025 (versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2) to all Redis instances. 2. Restrict Lua script execution by disabling EVAL and EVALSHA commands using Redis Access Control Lists (ACLs) to prevent unauthorized script execution. 3. Ensure all Redis instances are not exposed directly to the internet; use network segmentation, firewalls, and VPNs to limit access to trusted users and systems only. 4. Enforce strong authentication mechanisms on all Redis instances, eliminating any instances without authentication. 5. Regularly audit Redis configurations and access logs to detect unauthorized access attempts or suspicious Lua script executions. 6. Implement monitoring and alerting for unusual Redis activity, including unexpected command usage or network connections. 7. Educate DevOps and security teams about the risks of Lua scripting in Redis and the importance of secure configuration. 8. For cloud environments, leverage cloud provider security features such as private endpoints and security groups to restrict Redis access. 9. Consider disabling Lua scripting entirely if not required by the application to reduce the attack surface. 10. Conduct penetration testing and vulnerability assessments post-mitigation to validate the effectiveness of controls.