Potential Redis Lua Use-After-Free RCE Attempt (CVE-2025-49844 / RediShell)

Last updated 5 days ago on 2026-06-11

Created 5 days ago on 2026-06-11

About

This rule detects exploitation attempts targeting CVE-2025-49844 (RediShell), a CVSS 10.0 use-after-free vulnerability in the Redis Lua interpreter. An authenticated attacker sends an EVAL command containing a Lua script that calls string.rep() to create memory pressure and collectgarbage('collect') to force garbage collection, exploiting a use-after-free in the Lua parser to achieve remote code execution.

Tags

Domain: NetworkUse Case: Threat DetectionUse Case: VulnerabilityTactic: Initial AccessTactic: ExecutionData Source: Network Packet CaptureLanguage: eql

Severity

critical

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-network_traffic.redis*
Related Integrations: network_traffic(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗network where data_stream.dataset == "network_traffic.redis" and
  network_traffic.redis.query like~ "*EVAL*" and
  network_traffic.redis.query like~ "*string.rep*" and
  network_traffic.redis.query like~ "*collectgarbage*"

Install detection rules in Elastic Security

Detect Potential Redis Lua Use-After-Free RCE Attempt (CVE-2025-49844 / RediShell) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).