From 2-Bit Reset to 0-Click RCE in Redis: A Pwn2Own Edition
Benny Isaacs
Hexacon 2025 · Day 1 · Main Stage
In a groundbreaking presentation at Hexacon, Benny Isaacs, a Senior Security Researcher at Wiz, detailed a complex **zero-click Remote Code Execution (RCE)** vulnerability discovered and exploited in Redis, one of the world's most ubiquitous in-memory databases. This talk, which earned Wiz a significant prize at Pwn2Own Berlin, unveiled a bug that lay dormant for 13 years within the Redis Lua scripting engine. The vulnerability allowed attackers to bypass Redis's robust sandboxing mechanisms and achieve full system compromise without any user interaction, merely by submitting a specially crafted Lua script.
AI review
Isaacs delivers the real thing: a 13-year-old UAF in the Lua GC, buried deep enough that nobody found it, weaponized into a reliable 0-click RCE against one of the most widely deployed pieces of infrastructure on the planet. The chain is genuinely elegant — GC timing abuse to manufacture a dangling pointer, a 2-bit reset primitive that most researchers would have thrown away as useless, then methodical heap shaping to bootstrap that into arbitrary object faking, an absolute read, and a ROP chain punching through pointer guard. This is the kind of work that makes you question what else is…