Critical security vulnerability in Redis enables system takeover

Sicherheitslücke, mcp-remote sicherheitslücke, rce angriff mcp-remote, remote code ausführung mcp, mcp-remote version 0.1.16, mcp-remote, Schwachstelle
LinkedInRedditWhatsAppPocket

Security firm Sysdig is warning about a critical security vulnerability in the widely used in-memory data store Redis. The flaw, tracked as CVE-2025-49844 and dubbed “RediShell” by security researchers, has received the maximum CVSS score of 10.0 and allows attackers to gain complete control over affected systems.

The vulnerability is rooted in Redis’s Lua scripting subsystem and has existed in the source code for approximately 13 years. Attackers can manipulate the garbage collector through specially crafted Lua scripts and trigger a use-after-free condition. This enables them to escape the Redis interpreter’s sandbox and execute arbitrary code with host system privileges.

Ad

Redis instances are delivered without authentication by default, making many systems vulnerable to attack. After successful compromise, attackers can steal credentials, install malware, exfiltrate sensitive data, or move laterally within the network.

Discovery at Pwn2Own

The vulnerability was discovered by security researchers from Wiz during the Pwn2Own competition held in Berlin in May 2025. Redis released patches for affected versions on October 3, 2025.

All Redis versions with Lua scripting support enabled are affected, including both open-source and enterprise editions. Patched versions include:

Ad
  • Redis OSS/CE/Stack: versions 8.2.2, 8.0.4, 7.4.6, 7.2.11, and 6.2.20 and above
  • Redis Enterprise: versions 7.22.2-12, 7.8.6-207, 7.4.6-272, 7.2.4-138, and 6.4.2-131 and above

Redis Cloud customers have already been automatically updated and require no further action.

Recommended Countermeasures

Administrators should take immediate action and patch affected systems. Sysdig recommends the following temporary protective measures:

  • Immediately update to a patched version
  • Disable Lua scripting if not absolutely necessary
  • Restrict EVAL and EVALSHA commands via Access Control Lists (ACLs)
  • Implement network segmentation to hinder lateral movement
  • Run Redis services exclusively with non-root privileges
  • Immediately disconnect or patch internet-accessible instances

(lb/Sysdig)


Ad

Weitere Artikel

Google introduces Recovery Contacts: Friends or Family as account helpers
LevelBlue acquires XDR provider cybereason
Oracle exploit puts Harvard University data at risk
Google warns of extortion campaign targeting executives