RediShell RCE Vulnerability

Blog

Byadmblake October 16, 2025

What is the Vulnerability? A Use-After-Free (UAF) bug in Redis’s Lua scripting subsystem (tracked as CVE-2025-49844, “RediShell”) allows an authenticated attacker who can run Lua scripts to escape the Lua sandbox and achieve arbitrary native code execution on the Redis host. This is a critical (CVSS 10.0), high-impact vulnerability because Lua scripting is enabled by…

What is the Vulnerability?

A Use-After-Free (UAF) bug in Redis’s Lua scripting subsystem (tracked as CVE-2025-49844, “RediShell”) allows an authenticated attacker who can run Lua scripts to escape the Lua sandbox and achieve arbitrary native code execution on the Redis host.

This is a critical (CVSS 10.0), high-impact vulnerability because Lua scripting is enabled by default and many deployments lack proper authentication or are internet-exposed, leading to theft of credentials, deployment of malware/miners, lateral movement, exfiltration, and loss of availability.

What is the recommended Mitigation?

Patches were released on October 3, 2025. Redis Cloud was automatically patched, but self-managed instances must be upgraded immediately.
Upgrade all self-managed Redis instances to one of the fixed versions listed in the Redis advisory. Redis Cloud customers were auto-patched.
If you cannot patch immediately, apply temporary mitigations:

Disable Lua scripting where it’s not required for application functionality. If Lua is required, restrict which identities can run scripts and monitor their usage.

What FortiGuard Coverage is available?

Lacework FortiCNAPP automatically detects this vulnerability via the Vulnerability Management module when Redis is installed via a package manager on a host or container.

How does Lacework FortiCNAPP Protect from… – Fortinet Community
FortiCNAPP also detects usage of the official Redis Docker image via alerts and will escalate the alert severity to ‘Critical’ when this exploit is detected to be actively in use.

Cloud Vulnerability and Threat Detection | FortiGuard Labs
Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-49844.

Intrusion Prevention | FortiGuard Labs
FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface.

Endpoint Vulnerability | FortiGuard Labs
The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

Blog

New Advanced Linux VoidLink Malware Targets Cloud and container Environments

Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink that’s specifically designed for long-term, stealthy access to Linux-based cloud environments According to a new report from Check Point Research, the cloud-native Linux malware framework comprises an array of custom loaders, implants, rootkits, and modular

Read More New Advanced Linux VoidLink Malware Targets Cloud and container Environments
Blog

Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa

Cybersecurity researchers are calling attention to a series of cyber attacks targeting financial organizations across Africa since at least July 2023 using a mix of open-source and publicly available tools to maintain access. Palo Alto Networks Unit 42 is tracking the activity under the moniker CL-CRI-1014, where “CL” refers to “cluster” and “CRI” stands for…

Read More Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa
Blog

5 Identity Threat Detection & Response Must-Haves for Super SaaS Security

Identity-based attacks are on the rise. Attackers are targeting identities with compromised credentials, hijacked authentication methods, and misused privileges. While many threat detection solutions focus on cloud, endpoint, and network threats, they overlook the unique risks posed by SaaS identity ecosystems. This blind spot is wreaking havoc on heavily SaaS-reliant organizations big and small

Read More 5 Identity Threat Detection & Response Must-Haves for Super SaaS Security
Blog

Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials

Cybersecurity researchers have demonstrated a novel technique that allows a malicious web browser extension to impersonate any installed add-on. “The polymorphic extensions create a pixel perfect replica of the target’s icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to

Read More Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials
Blog

5 Threats That Defined Security in 2025

2025 included a number of monumental threats, from the global attacks of Salt Typhoon to dangerous vulnerabilities like React2Shell.

Read More 5 Threats That Defined Security in 2025
Blog

Sophos Recognized as Top Employer in British Columbia, Canada

Sophos has been named as one of the top employers in British Columbia, Canada for the ninth year running.

Read More Sophos Recognized as Top Employer in British Columbia, Canada

Related