A critical Remote Code Execution vulnerability has been patched in Imunify360 AV, a security product protecting approximately 56 million websites worldwide.
Hosting companies must apply the patch immediately to prevent potential server compromises.
The vulnerability details began circulating in late October 2024, prompting urgent recommendations for affected hosting providers to verify the integrity of their servers.
Despite the severity, Imunify360’s team has not released an official statement, and no CVE identifier has been assigned.
The issue was quietly documented on their Zendesk support portal on November 4, 2025, with an estimated CVSS severity score of 8.2.
Vulnerability Overview
Security researchers discovered a remote code execution flaw in Imunify360 AV (AI-Bolit) versions before v32.7.4.0.
The vulnerability originates from the deobfuscation logic that executes untrusted functions and payloads extracted from attacker-supplied malware samples.
When processing malicious files, the deobfuscator can invoke dangerous PHP functions, including system(), exec(), shell_exec(), passthru(), and eval(), enabling arbitrary command execution and a complete compromise of the hosting environment.
Attackers can embed specially crafted obfuscated PHP code that triggers Imunify360 AV’s deobfuscation signatures.
Once processed, the deobfuscator executes extracted functions on attacker-controlled data, permitting arbitrary system commands or PHP code execution.
The consequences range from individual website compromise to complete server takeover, depending on the hosting configuration and privilege levels.
Detection is challenging because malicious payloads use advanced obfuscation techniques, including hex escapes, packed payloads, base64/gzinflate chains, and custom delta/ord transformations, specifically designed to bypass detection until deobfuscated.
Imunify360 AV operates as a specialized malware scanner for website files, including PHP, JavaScript, and HTML.
By default, the scanner runs as a service with root privileges, creating severe escalation risks on shared hosting environments. Successful exploitation could allow attackers to escalate from a single compromised website to complete host control.
The vulnerability exists in two problematic code flows within the deobfuscation engine. The eval-hex function pattern matches obfuscated code containing hex-encoded function names, while the Delta/Ord flow processes strings and recovered function names through Helpers::executeWrapper.
Both flows lack validation of function safety, allowing execution of dangerous system functions.
Most critically, despite CLI defaults turning off deep deobfuscation, the Python scanner wrapper automatically enables it for all scan types, including background, on-demand, user-initiated, and rapid account scans.
CloudLinux, the vendor behind Imunify360, has not issued a formal security advisory or CVE disclosure.
The only public acknowledgment appears in a brief Zendesk article. This marks the second critical RCE vulnerability in Imunify360, following a similar incident reported by Talos Intelligence in 2021.
Administrators running Imunify360 AV versions before v32.7.4.0 must immediately apply vendor-supplied security updates.
If immediate patching is impossible, restrict the execution environment by running the scanner in isolated analysis containers with minimal privileges and no network access.
Administrators should contact CloudLinux support to verify exposure status and obtain post-incident guidance.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.