Critical Flaw in Redis Requires Urgent Patching

A critical Remote Code Execution (RCE) vulnerability in Redis can allow threat actors to gain remote code execution on vulnerable instances. System administrators should patch Redis installations as soon as possible. Internet exposed systems should be prioritized. Please note that ITS hosted systems are being patched.

A use-after-free vulnerability found in Redis can be exploited by threat actors using a specially crafted Lua script (a feature enabled by default). Successful exploitation enables the threat actor to escape the Lua sandbox, trigger a use-after-free, establish a reverse shell for persistent access, and achieve remote code execution on the targeted Redis hosts.

Exploitation is increasingly likely now that details of this vulnerability are publicly available.

Internet exposed systems using Redis should be prioritized.

• Patching is urgent for any system using Redis, especially if exposed to the internet. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
• System administrators should also take this opportunity to re-evaluate whether internet exposure is a business-critical need, and to reconfigure Redis instances to not allow internet access where it isn't needed.
• Ensure all Redis instances require robust authentication for access.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Please contact ITS Information Assurance through the ITS Service Center.

Sincerely,

ITS Information Assurance

• Redis warns of critical flaw impacting thousands of instances (Bleeping Computer 10-6-2025)
• RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score (wiz.io 10-6-2025)
• Security Advisory: CVE-2025-49844 (Redis.io 10-3-2025)