PatchSiren cyber security CVE debrief
CVE-2026-25243 redis CVE debrief
CVE-2026-25243 is a high-severity vulnerability in Redis, an in-memory data structure store. The RESTORE command does not properly validate serialized values, allowing an authenticated attacker with permission to execute RESTORE to supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This vulnerability is patched in version 8.6.3. The CVSS score for this vulnerability is 7.7, indicating a high severity. The vulnerability was published on May 5, 2026, and last modified on June 30, 2026.
- Vendor
- redis
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-05
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-05
- Advisory updated
- 2026-06-30
Who should care
System administrators and security teams responsible for managing Redis instances should be aware of this vulnerability. Additionally, developers who use Redis in their applications should also take note of this vulnerability and ensure that their instances are updated to version 8.6.3 or later. Users of Redis should prioritize patching this vulnerability as it can lead to remote code execution.
Technical summary
The RESTORE command in Redis does not properly validate serialized values, allowing an authenticated attacker to supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. The vulnerability has a CVSS score of 7.7 and is classified as high severity. The vulnerability is patched in version 8.6.3. A workaround is to restrict access to the RESTORE command with ACL rules. The vulnerability was introduced in an earlier version of Redis and was patched in version 8.6.3.
Defensive priority
High priority should be given to patching this vulnerability as it can lead to remote code execution. System administrators and security teams should ensure that Redis instances are updated to version 8.6.3 or later. Additionally, access to the RESTORE command should be restricted with ACL rules as a temporary measure.
Recommended defensive actions
- Update Redis instances to version 8.6.3 or later
- Restrict access to the RESTORE command with ACL rules
- Monitor Redis instances for suspicious activity
- Review and update ACL rules to ensure proper access control
- Consider implementing additional security measures such as network segmentation and intrusion detection
Evidence notes
The vulnerability was published on May 5, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 7.7, indicating a high severity. The vulnerability is patched in version 8.6.3. A workaround is to restrict access to the RESTORE command with ACL rules. The vulnerability was introduced in an earlier version of Redis and was patched in version 8.6.3.
Official resources
-
CVE-2026-25243 CVE record
CVE.org
-
CVE-2026-25243 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.