Ajay Verma’s Post

A 13-year-old bug just gave attackers a one-way ticket to full server compromise. What happened (short): CVE-2025-49844 — “RediShell” — is a use-after-free bug in Redis’s Lua engine that can let a crafted EVAL/EVALSHA script escape the Lua sandbox and achieve remote code execution. It’s been in the code for ~13 years and is rated critical. Why you should care (fast): • Redis often holds session tokens, API keys, caches and more — compromise Redis, and you can pivot everywhere. • Researchers estimate ~330,000 Redis instances are internet-reachable today and ~60,000 have no authentication configured — easy targets. Immediate action checklist (do these now): Patch to fixed releases (OSS: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+). If you run Stack/Enterprise, follow Redis’ advisory for fixed builds. If you can’t patch immediately — disable Lua execution (block EVAL/EVALSHA via ACLs), enforce authentication, and lock Redis behind firewalls/SGs. Scan: search your public IP space (Shodan/Censys), review container images and default Docker configs, check managed-cache provider advisories. Hunt for indicators: unexpected reverse shells, unfamiliar processes, stolen tokens — assume any exposed Redis could have been probed. For leaders (CISO/ENG): treat this as a cross-team emergency — infra, app teams, SREs and cloud ops must coordinate fixes + secrets rotation. Don’t assume “it’s only a cache.” If you run Redis: patch + restrict + verify. If you don’t run Redis, forward this to whoever does — this one bites fast. Share this if you want your network to actually do something — not just read another CVE. #cybersecurity #infosec #redis #vulnerability #devops #cloudsecurity