Redis RCE Flaw Went Undetected for Two Years

What Happened

On May 5, 2025, Redis released patches addressing CVE-2026-23479, a critical remote code execution vulnerability present since version 7.2.0. This flaw allows authenticated users to execute arbitrary operating system commands on the Redis server. The National Vulnerability Database (NVD) assigned it a CVSS 3.1 score of 8.8, while Redis rated it 7.7 under CVSS 4.0.

The vulnerability was discovered by an autonomous AI tool developed by Team Xint Code, designed to hunt bugs in large codebases. This tool operates independently during the analysis phase, identifying patterns and conditions that human reviewers might miss.

Timeline

December 2022: Redis 7.2.0 ships with the vulnerability.

December 2022 - April 2025: The flaw remains undetected through multiple minor releases across the 7.2, 7.4, 8.0, 8.2, 8.4, and 8.6 series. Standard code reviews, community scrutiny, and security testing fail to identify the issue.

April 2025: Team Xint Code's AI tool identifies the vulnerability during automated scanning.

May 5, 2025: Redis releases patches for all affected series: 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3.

Which Controls Failed or Were Missing

Static Application Security Testing (SAST) gaps: Traditional SAST tools scan for known vulnerability patterns. This flaw didn't match existing signatures, indicating a novel combination of conditions or component interactions that rule-based scanners missed.

Code review limitations: Multiple releases passed human review without detection. This highlights the limitations of human attention when reviewing complex state management in a high-performance database engine.

Penetration testing scope: If Redis underwent penetration testing, those tests either didn't include authenticated attack scenarios against the specific affected component, or testers didn't discover the execution path triggering the vulnerability.

Default configuration exposure: Analysis from Wiz indicates that default Redis configurations in cloud environments can amplify the impact of authenticated RCE vulnerabilities. Many deployments run with authentication but lack additional network isolation, allowing compromised credentials to enable command execution.

What the Relevant Standards Require

PCI DSS v4.0.1 Requirement 6.3.2 mandates identifying security vulnerabilities using industry-accepted approaches. A two-year detection gap suggests your SAST tooling isn't adequately covering the attack surface.

OWASP ASVS v4.0.3 Section 14.2 requires automated security testing integrated into the build pipeline. Continuous scanning beyond signature-based detection is necessary if you're running Redis in a PCI environment.

ISO/IEC 27001:2022 Control 8.8 requires technical vulnerability management, including regular assessments and timely patching. While detection methods aren't specified, mechanisms capable of finding vulnerabilities before attackers do are implied.

NIST 800-53 Rev 5 RA-5 requires employing vulnerability monitoring tools that detect emerging threats. Static analysis is mentioned, but tools must be effective.

Lessons and Action Items for Your Team

Audit your Redis deployment immediately. Upgrade if you're running any version between 7.2.0 and the May 5 patches. Check your asset inventory for:

• Self-managed Redis instances
• Redis containers in Kubernetes
• Cloud-managed Redis services that allow version selection
• Development and staging environments

Re-evaluate your SAST tool coverage. This incident shows commercial SAST tools have blind spots. Test a known vulnerability from your language ecosystem to verify your scanner detects it. If not, you're investing in ineffective security.

Add AI-assisted analysis to your security workflow. Augment human review with AI tools that use large language models or specialized code analysis to identify suspicious patterns missed by rule-based scanners. Integrate them at the pull request stage.

Harden Redis configurations beyond authentication. Implement:

• Network segmentation: Redis should not be internet-accessible
• Principle of least privilege: Use ACLs to restrict commands per user
• Disable dangerous commands like CONFIG, SCRIPT, and MODULE unless required

Test your incident response for dependency vulnerabilities. When a critical CVE drops, ensure you can:

• Identify all instances across environments
• Test the patched version in staging
• Deploy to production
• Verify the patch didn't break functionality

If this process takes longer than 48 hours, address the process issue.

Document what your scanners don't catch. Maintain a list of vulnerability classes your current tools miss. When you find a gap, evaluate whether new tools or techniques could cover it. This becomes your business case for security tooling budget.

The Redis vulnerability highlights the limits of signature-based detection and human code review. Autonomous AI tools, while not infallible, found this flaw when other methods failed. If your security relies solely on outdated methods, you're accumulating unseen risk.