RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score

Wiz Research has identified a critical remote code execution vulnerability, designated CVE-2025-49844 and nicknamed RediShell, affecting all versions of the Redis database system. This flaw originates from a thirteen-year-old bug and carries a maximum CVSS score of 10.0, indicating severe risk. Given Redis deployment in approximately 75% of cloud environments, the potential impact is widespread, allowing attackers to execute arbitrary commands on vulnerable servers. Immediate patching is crucial to prevent unauthorized access and potential data compromise. Organizations utilizing Redis must prioritize updating to secured versions and audit their cloud infrastructure for exposure. While no active exploitation campaigns by specific threat actors are detailed in this report, the severity warrants urgent mitigation efforts to safeguard critical cloud assets against potential remote compromise and subsequent lateral movement within networks.

Wiz Research discovers vulnerability stemming from 13-year-old bug present in all Redis versions, used in 75% of cloud environments.

Wiz Research has identified a critical remote code execution vulnerability, designated CVE-2025-49844 and nicknamed RediShell, affecting all versions of the Redis database system. This flaw originates from a thirteen-year-old bug and carries a maximum CVSS score of 10.0, indicating severe risk. Given Redis deployment in approximately 75% of cloud environments, the potential impact is widespread, allowing attackers to execute arbitrary commands on vulnerable servers. Immediate patching is crucial to prevent unauthorized access and potential data compromise. Organizations utilizing Redis must prioritize updating to secured versions and audit their cloud infrastructure for exposure. While no active exploitation campaigns by specific threat actors are detailed in this report, the severity warrants urgent mitigation efforts to safeguard critical cloud assets against potential remote compromise and subsequent lateral movement within networks. Wiz Research discovers vulnerability stemming from 13-year-old bug present in all Redis versions, used in 75% of cloud environments. Wiz Research discovers vulnerability stemming from 13-year-old bug present in all Redis versions, used in 75% of cloud environments.