A newly disclosed critical vulnerability in Redis, dubbed RediShell (CVE-2025-49844), has exposed up to 60,000 unauthenticated Redis servers to potential remote code execution. The flaw, which has existed in Redis code for over 13 years, carries a CVSS score of 10.0 (the worst possible score by the way) and stems from a use-after-free issue in the Lua interpreter.
Anders Askasen, VP of Product Marketing, Radiant Logic:
“This newly disclosed Redis vulnerability is a reminder that technical debt doesn’t just live in code, it lives in configuration. Thirteen years of latent risk surfaced because default settings and weak segmentation went unobserved. When foundational services like Redis run unauthenticated or exposed, they create invisible attack paths that can pivot directly into identity and access systems. The answer isn’t just patching faster but seeing sooner. Identity observability provides the real-time visibility, control validation, and remediation needed to uncover these blind spots before attackers do.”
This blog post has mitigation strategies that you should read and implement if you are affected by this. I say that because this flaw is the absolute worst possible flaw. Which means that this is a today problem if you are a Redis user.
Redis Has A Flaw That Is The Absolute Worst Possible Flaw A Product Can Have
Posted in Commentary with tags Redis on October 7, 2025 by itnerdA newly disclosed critical vulnerability in Redis, dubbed RediShell (CVE-2025-49844), has exposed up to 60,000 unauthenticated Redis servers to potential remote code execution. The flaw, which has existed in Redis code for over 13 years, carries a CVSS score of 10.0 (the worst possible score by the way) and stems from a use-after-free issue in the Lua interpreter.
Anders Askasen, VP of Product Marketing, Radiant Logic:
“This newly disclosed Redis vulnerability is a reminder that technical debt doesn’t just live in code, it lives in configuration. Thirteen years of latent risk surfaced because default settings and weak segmentation went unobserved. When foundational services like Redis run unauthenticated or exposed, they create invisible attack paths that can pivot directly into identity and access systems. The answer isn’t just patching faster but seeing sooner. Identity observability provides the real-time visibility, control validation, and remediation needed to uncover these blind spots before attackers do.”
This blog post has mitigation strategies that you should read and implement if you are affected by this. I say that because this flaw is the absolute worst possible flaw. Which means that this is a today problem if you are a Redis user.
Leave a comment »