- Redis patches CVE-2025-49844, a critical bug enabling remote code execution via Lua script abuse
- Vulnerability had existed for 13 years; affects versions 8.2.1 and below, now fixed in 8.2.2
- Over 60,000 exposed instances lack authentication; urgent updates and ACL restrictions are strongly advised
Redis, a popular open source data store, carried a critical vulnerability that allowed threat actors to execute malicious code remotely. It has been fixed in its newest version, which users are now urged to install.
Redis, short for Remote Dictionary Server, is an open source, in-memory data store used as a database, cache, and message broker for fast data access and real-time applications, used across a wide range of cloud environments.
A security advisory said that 13 years ago, a use-after-free vulnerability was introduced into the Redis source code. Authenticated actors can create a custom Lua script to trigger it, escape the Lua sandbox, and establish a reverse shell and remote code execution capabilities. In turn, this enables all sorts of malicious activity, from credential theft to malware infections, cryptojackers, data leaks, and more.
Thousands of vulnerable instances
The bug is tracked as CVE-2025-49844 and was given a severity score of 9.9/10 (critical). It was found in versions 8.2.1 and below and fixed in version 8.2.2.
Those who cannot upgrade to the newest version on time should prevent users from executing Lua scripts, which can be done using ACL to restrict EVAL and EVALSHA commands.
Citing security researchers Wiz, BleepingComputer also says there are around 330,000 Redis instances exposed online, with at least 60,000 of those being vulnerable since they do not require any authentication.
The actual number of vulnerable Redis instances is probably a lot higher than that, if we include weak credentials or devices already compromised through different vulnerabilities.
“The combination of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an urgent need for immediate remediation. Organizations must prioritize updating their Redis instances and implementing proper security controls to protect against exploitation,” Wiz noted.
Via BleepingComputer
You might also like
https://cdn.mos.cms.futurecdn.net/pkYe3wfka75VbChmzeXpiN-970-80.jpg
Source link
