A 13-year-old vulnerability in the popular open-source Redis in-memory database has been discovered, exposing millions of deployments to remote code execution (RCE) attacks. The flaw, tracked as CVE-2025-23345, received a maximum CVSS score of 10.0, marking it as critical.
Security researchers at Jiangsu Yunshu Network Technology uncovered the issue, which stems from unsafe file permission handling in Redis persistence features. Attackers exploiting the flaw can overwrite key configuration or authentication files, leading to arbitrary code execution with system privileges.
The vulnerability lies within Redis’ AOF (Append Only File) and RDB (Redis Database File) mechanisms — specifically how they manage data persistence and rewrite operations. When configured to run as root or under misconfigured permissions, Redis allows overwriting system-level files, such as authorized_keys or startup scripts.
This misconfiguration dates back to Redis 2.6, first released in 2012, and persisted through multiple stable versions.
According to Rapid7’s analysis, attackers can gain full remote control over a vulnerable instance by writing crafted data payloads into critical directories. If Redis runs with root privileges, exploitation leads to complete system compromise.
Attack Surface and Exposure
Shodan scans reveal over 290,000 Redis servers publicly exposed on the internet, with thousands running versions susceptible to this flaw. Many instances still use default configurations, allowing unauthenticated write access.
Exploitation requires no authentication if Redis is misconfigured to accept external network connections. Attackers can issue crafted commands to rewrite local files, inject SSH keys, or create malicious startup scripts executed upon service restart.
Researchers note that this flaw is functionally identical to older Redis misuses reported years earlier but newly rediscovered due to its impact severity and ease of exploitation.
Redis’ Response
Redis maintainers have released patches addressing the vulnerability in versions 7.0.15, 6.2.16, and 5.0.15. The patch enforces stricter file permission validation and path sanitation checks when writing AOF or RDB files.
Redis Labs stated that while the vulnerability existed for over a decade, it only posed severe risk in improperly deployed environments particularly when Redis runs with root access.
Administrators are urged to:
-
Run Redis under a dedicated non-root account.
-
Restrict write permissions to Redis directories.
-
Disable external connections if not required.
-
Deploy the latest patched version immediately.
Industry Reaction
Security experts are calling this discovery a wake-up call for organizations relying on long-lived open-source deployments. Misconfigurations remain one of the leading causes of critical infrastructure breaches, often stemming from default settings that persist across years of upgrades.
According to CERT/CC, Redis deployments in cloud environments like AWS, Azure, and Alibaba Cloud are especially at risk when ports are publicly exposed.
The flaw’s rediscovery also reignites debate about supply-chain hygiene, as many container images use outdated Redis builds. Security professionals warn that legacy open-source components can silently carry decade-old vulnerabilities still exploitable in modern contexts.
Global Impact and Risk Assessment
With Redis serving as a backbone for caching and data queues in financial systems, IoT platforms, and SaaS applications, this vulnerability poses widespread risk.
Attackers who exploit the flaw can:
-
Execute arbitrary code on host systems.
-
Escalate privileges through poisoned configurations.
-
Pivot laterally across cloud instances sharing credentials or volumes.
The CVSS 10.0 rating reflects the potential for complete remote takeover with low complexity. Security vendors including Trend Micro, Palo Alto Networks, and Aqua Security have updated intrusion detection rules to flag related activity.
FAQs
Q: What causes the Redis CVE-2025-23345 vulnerability?
A: It’s caused by unsafe file write permissions in Redis’ persistence mechanisms, allowing attackers to overwrite system files.
Q: Is authentication required to exploit it?
A: Not necessarily, exploitation is possible if Redis is accessible externally and misconfigured.
Q: How long has this flaw existed?
A: The issue traces back to Redis 2.6, making it active for roughly 13 years before discovery.
Q: Which versions are patched?
A: Redis 7.0.15, 6.2.16, and 5.0.15 fix the flaw with stricter file handling and path validation.
Q: How should organizations mitigate risk?
A: Patch immediately, run Redis as a non-root user, and restrict external network exposure.
