"By default, the official Redis container does not require authentication, as instances should be deployed internally and not internet-accessible, but there are roughly 330,000 Redis servers exposed to the web, and 60,000 of them have no authentication. "The combination of no authentication and exposure to the internet is highly dangerous, allowing anyone to query the Redis instance and, specifically, send Lua scripts (which are enabled by default)," Wiz notes."
"Underlining that roughly 75% of cloud environments rely on Redis, Wiz explains that an attacker could fully compromise a system by sending a malicious Lua script to trigger the bug and escape the Lua sandbox to achieve code execution. The script would also deploy a reverse shell to establish persistent access, allowing attackers to harvest credentials and other sensitive information, exfiltrate data, install malware, move laterally using the stolen sensitive data, and escalate their privileges."
A critical use-after-free vulnerability in Redis (CVE-2025-49844, RediShell) can enable remote arbitrary code execution. The official Redis container does not require authentication by default, and roughly 330,000 Redis servers are exposed to the internet, with about 60,000 lacking authentication. Internet exposure combined with no authentication allows attackers to send Lua scripts, trigger the bug, escape the Lua sandbox, and execute arbitrary code. Exploits can deploy reverse shells for persistence, harvest credentials, exfiltrate data, install malware, and move laterally to escalate privileges. Widespread Redis use in cloud environments increases potential impact of exploited instances.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]