PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25243 redis CVE debrief

CVE-2026-25243 is a high-severity vulnerability in Redis, an in-memory data structure store. The RESTORE command does not properly validate serialized values, allowing an authenticated attacker with permission to execute RESTORE to supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This vulnerability is patched in version 8.6.3. The CVSS score for this vulnerability is 7.7, indicating a high severity. The vulnerability was published on May 5, 2026, and last modified on June 30, 2026.

Vendor
redis
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-06-30
Advisory published
2026-05-05
Advisory updated
2026-06-30

Who should care

System administrators and security teams responsible for managing Redis instances should be aware of this vulnerability. Additionally, developers who use Redis in their applications should also take note of this vulnerability and ensure that their instances are updated to version 8.6.3 or later. Users of Redis should prioritize patching this vulnerability as it can lead to remote code execution.

Technical summary

The RESTORE command in Redis does not properly validate serialized values, allowing an authenticated attacker to supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. The vulnerability has a CVSS score of 7.7 and is classified as high severity. The vulnerability is patched in version 8.6.3. A workaround is to restrict access to the RESTORE command with ACL rules. The vulnerability was introduced in an earlier version of Redis and was patched in version 8.6.3.

Defensive priority

High priority should be given to patching this vulnerability as it can lead to remote code execution. System administrators and security teams should ensure that Redis instances are updated to version 8.6.3 or later. Additionally, access to the RESTORE command should be restricted with ACL rules as a temporary measure.

Recommended defensive actions

  • Update Redis instances to version 8.6.3 or later
  • Restrict access to the RESTORE command with ACL rules
  • Monitor Redis instances for suspicious activity
  • Review and update ACL rules to ensure proper access control
  • Consider implementing additional security measures such as network segmentation and intrusion detection

Evidence notes

The vulnerability was published on May 5, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 7.7, indicating a high severity. The vulnerability is patched in version 8.6.3. A workaround is to restrict access to the RESTORE command with ACL rules. The vulnerability was introduced in an earlier version of Redis and was patched in version 8.6.3.

Official resources

This article is AI-assisted and based on the supplied source corpus.