Critical RediShell Vulnerability With CVSS 10.0 Score Threatens 330,000 Internet-Exposed Redis Instances

TL;DR

• Wiz Research disclosed CVE-2025-49844 (RediShell), a critical remote code execution vulnerability in Redis with a perfect CVSS 10.0 severity score
• The flaw is a Use-After-Free memory corruption bug that has existed in the Redis source code for approximately 13 years
• An estimated 330,000 Redis instances are exposed to the internet, with roughly 60,000 running without any authentication
• The vulnerability affects Redis forks including Valkey and managed services like Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis
• Redis released patched versions on October 3, 2025, and organizations are urged to update immediately

Wiz Research has uncovered one of the most critical vulnerabilities in recent memory. CVE-2025-49844, dubbed RediShell, is a remote code execution (RCE) flaw in the widely deployed Redis in-memory data store, and it carries the maximum possible CVSS score of 10.0. The discovery sends shockwaves through the cloud infrastructure community, given Redis is estimated to run in approximately 75 percent of all cloud environments worldwide.

How RediShell Works

The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has been present in the Redis source code for roughly 13 years. A post-authentication attacker can send a specially crafted malicious Lua script — a feature enabled by default in Redis — to escape the Lua interpreter sandbox and achieve arbitrary native code execution on the host machine.

Once an attacker gains code execution on the Redis host, the implications are severe. They can exfiltrate, wipe, or encrypt sensitive data stored in the Redis instance. They can hijack computational resources. And critically, they can use the compromised host as a pivot point for lateral movement within broader cloud environments, potentially escalating a single-instance compromise into a full-scale infrastructure breach.

Scope of the Threat

Wiz’s exposure analysis paints a troubling picture. At the time of disclosure, approximately 330,000 Redis instances were directly exposed to the internet. Of those, about 60,000 were running without any form of authentication configured. The official Redis Docker container does not require authentication by default, and Wiz found that 57 percent of cloud environments install Redis as container images — many without proper security hardening.

The combination of internet exposure, absent authentication, and a critical RCE vulnerability creates what security researchers describe as a perfect storm. An unauthenticated attacker with network access to a vulnerable Redis instance could achieve full host compromise with a single malicious request.

Who Is Affected

RediShell is not limited to self-hosted Redis deployments. The vulnerability also affects popular Redis forks, including the Valkey project, which released its own patch on October 3, 2025. Major managed Redis services — Amazon ElastiCache, Google Cloud Memorystore, and Azure Cache for Redis — are also impacted, though cloud providers have been working to patch their managed offerings.

Given that Redis is commonly used for caching, session management, message queuing via pub/sub, and real-time data serving, the vulnerability potentially affects virtually every sector: financial services, e-commerce, social media platforms, SaaS applications, and — critically — cryptocurrency exchanges and blockchain infrastructure that rely on Redis for high-performance data caching.

What Makes This Vulnerability Unique

CVE-2025-49844 is the first Redis vulnerability to receive a critical severity rating. Only approximately 300 vulnerabilities per year achieve a CVSS score of 10.0 globally. The score reflects not just the technical severity of remote code execution, but also how Redis is commonly deployed — often with minimal authentication, in containerized environments, and with broad network exposure.

The fact that the underlying bug has existed for 13 years is particularly notable. It means that virtually every version of Redis deployed over more than a decade has been vulnerable, and the flaw was only discovered through dedicated security research by the Wiz team.

Immediate Steps for Organizations

Redis released a security advisory and patched versions on October 3, 2025. Organizations running Redis should prioritize the following actions: first, update all Redis instances to the latest patched version, starting with those exposed to the internet. Second, ensure authentication is enabled on all Redis instances — the default configuration should never be used in production. Third, audit Redis deployments for unnecessary internet exposure and restrict access through network segmentation and firewall rules.

For organizations using managed Redis services, check with the respective cloud provider for patch status and any required configuration changes. Container-based deployments should be rebuilt from updated images rather than merely restarted.

Why This Matters

With Bitcoin trading at approximately $120,681 and Ethereum at $4,487 on October 2, 2025, the cryptocurrency ecosystem represents a high-value target for attackers exploiting infrastructure vulnerabilities. Many crypto exchanges, DeFi protocols, and blockchain services rely on Redis for real-time data processing, order book management, and session handling. A compromised Redis instance at a cryptocurrency platform could lead to data exfiltration, market manipulation, or direct theft of digital assets.

The RediShell disclosure is a stark reminder that infrastructure security is not just about application-level defenses. The foundational software layers — databases, caching systems, message queues — are equally critical attack surfaces. As the crypto industry continues to mature and attract institutional capital, the expectation for enterprise-grade security practices only grows. Organizations that fail to patch critical infrastructure vulnerabilities in a timely manner face not only financial risk but reputational damage that can be far more costly in the long run.

Disclaimer: This article is for informational purposes only and does not constitute cybersecurity or financial advice. Organizations should consult their security teams and follow official advisories from Redis and their cloud providers when addressing this vulnerability.