Redis Exposure Across the EU: A Snapshot from Shodan Data

March 06, 2026

Redis is a high performance in-memory key value store used for caching, session management, queues, real time analytics, and distributed systems.

It is designed to run inside trusted networks.

It was never meant to be exposed directly to the public internet.

Yet visibility data shows a significant number of services responding on port 6379 across the 27 EU member states.

This is not a vulnerability scan. It is a snapshot of what is publicly reachable.

Methodology

Scope: 27 European Union member states

AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE

Query focus:

Services responding on port 6379, typically associated with Redis.

Important context:

Not everything on port 6379 is Redis
Some services may be proxies, honeypots, or unrelated software
Fingerprinting is based on Shodan visibility

The results reflect observable exposure, not confirmed configuration state.

Total Port 6379 Exposure in the EU

Total services responding on port 6379: 61,718

That is a large attack surface for a service that is commonly deployed without authentication in internal environments.

Country	Instances
Germany (DE)	25,797
Netherlands (NL)	10,512
France (FR)	8,619
Finland (FI)	4,205
Sweden (SE)	1,746
Spain (ES)	1,630
Poland (PL)	1,515
Ireland (IE)	1,334
Czechia (CZ)	1,260
Italy (IT)	1,111
Romania (RO)	704
Belgium (BE)	545
Austria (AT)	496
Bulgaria (BG)	347
Hungary (HU)	312
Denmark (DK)	307
Portugal (PT)	239
Lithuania (LT)	202
Greece (GR)	201
Latvia (LV)	133
Estonia (EE)	118
Cyprus (CY)	114
Slovakia (SK)	77
Croatia (HR)	74
Slovenia (SI)	50
Luxembourg (LU)	49
Malta (MT)	21

Germany, the Netherlands, and France account for the majority of visible exposure. This pattern mirrors hosting density and infrastructure concentration.

What Is Actually Running on Port 6379?

Fingerprinting results show a diverse ecosystem.

Product	Instances
Redis key-value store	41,258
nginx	1,011
OpenSSH	194
Hikvision IP Camera	96
VNC	72
Microsoft IIS httpd	63
Home Assistant	57

Most services appear to be genuine Redis instances. The presence of honeypots and unusual services reinforces that port-based exposure analysis provides visibility, not certainty.

Why Redis Exposure Is Particularly Dangerous

Redis historically runs without authentication in many internal deployments. Common characteristics of exposed Redis instances include:

No password required
No TLS enabled
Bound to 0.0.0.0
Running as root
No firewall restrictions

If unauthenticated, an attacker can read and dump all keys, modify application session data, inject malicious values, or even achieve remote code execution via misconfiguration.

From a Pentester Perspective

When we discover an internet facing Redis instance, we immediately test:

Is authentication required?
Is TLS enabled?
Is the instance bound to all interfaces?
Can we run INFO or read keys?
Can we write files via CONFIG and SAVE?

If no authentication is required, severity is typically Critical. Redis compromise can lead to remote code execution or privilege escalation through filesystem access.

Redis Hardening Checklist

1. Bind to Internal Interfaces Only

Set bind 127.0.0.1 or a private IP
Avoid binding to 0.0.0.0
Place Redis inside a private subnet

2. Require Authentication

Set a strong requirepass value
Prefer Redis ACLs for fine grained control

3. Enable TLS

Use TLS for client connections
Disable plaintext port if possible

4. Restrict Dangerous Commands

Use rename-command to restrict CONFIG, FLUSHALL, SAVE

5. Do Not Run as Root

Use a dedicated service account with limited privileges

Part of the EU Exposure Series

Explore our other research on protocol exposure across the 27 EU member states:

Final Thoughts

61,718 services responding on port 6379 across the EU is not a small number. Redis was designed for trusted environments. The risk appears when it is directly reachable from the internet without authentication or segmentation.