Threat Signal Report

RediShell RCE Vulnerability

What is the Vulnerability?	A Use-After-Free (UAF) bug in Redis’s Lua scripting subsystem (tracked as CVE-2025-49844, “RediShell”) allows an authenticated attacker who can run Lua scripts to escape the Lua sandbox and achieve arbitrary native code execution on the Redis host. This is a critical (CVSS 10.0), high-impact vulnerability because Lua scripting is enabled by default and many deployments lack proper authentication or are internet-exposed, leading to theft of credentials, deployment of malware/miners, lateral movement, exfiltration, and loss of availability.
What is the recommended Mitigation?	Patches were released on October 3, 2025. Redis Cloud was automatically patched, but self-managed instances must be upgraded immediately. Upgrade all self-managed Redis instances to one of the fixed versions listed in the Redis advisory. Redis Cloud customers were auto-patched. If you cannot patch immediately, apply temporary mitigations: Disable Lua scripting where it’s not required for application functionality. If Lua is required, restrict which identities can run scripts and monitor their usage.
What FortiGuard Coverage is available?	Lacework FortiCNAPP automatically detects this vulnerability via the Vulnerability Management module when Redis is installed via a package manager on a host or container. How does Lacework FortiCNAPP Protect from... - Fortinet Community FortiCNAPP also detects usage of the official Redis Docker image via alerts and will escalate the alert severity to 'Critical' when this exploit is detected to be actively in use. Cloud Vulnerability and Threat Detection \| FortiGuard Labs Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-49844. Intrusion Prevention \| FortiGuard Labs FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. Endpoint Vulnerability \| FortiGuard Labs The FortiGuard Incident Response team can be engaged to help with any suspected compromise.