A severe remote code execution (RCE) vulnerability has been discovered in Imunify360 AV, a widely used malware scanner protecting approximately 56 million websites.
The security flaw, recently patched by CloudLinux, allows attackers to execute arbitrary commands and potentially take complete control of hosting servers.
Patchstack researchers discovered a flaw in Imunify360 AV’s deobfuscation logic used to analyze malicious PHP code.
Imunify360 AV RCE Vulnerability
Attackers can create specially encoded PHP files that mislead the scanner into executing harmful functions, such as system(), exec(), or eval(), during analysis.
Because the scanner typically runs with root privileges, successful exploitation can result in a complete server takeover.
The Patchstack analysis highlights a concerning flaw: deobfuscation is automatically enabled in the default configuration of Imunify360 AV for all scan types.
| Attribute | Details |
|---|---|
| Vulnerability Type | Remote Code Execution (RCE) |
| Product Affected | Imunify360 AV (AI-Bolit) |
| Affected Versions | Prior to v32.7.4.0 |
| Patched Version | v32.7.4.0 and later |
Including background scans, on-demand scans, and rapid account scans. This means vulnerable systems are continuously at risk whenever the scanner operates. On shared hosting environments, this vulnerability poses exceptional danger.
Attackers who compromise a single website can escalate privileges to gain root access, compromising every website and customer on the same server.
This lateral movement capability makes the vulnerability especially severe for hosting providers serving multiple clients. CloudLinux released a patch on October 21, 2025, but has notably not issued a formal CVE assignment or security advisory.
Information about the vulnerability appeared on their Zendesk support page on November 4, 2025, even though exploitation details had been circulating since late October.
Patchstack experts recommend hosting companies not only patch immediately but also investigate whether their servers have already been compromised.
Hosting companies should upgrade to Imunify360 AV version 32.7.4.0 or later without delay and conduct forensic checks for signs of exploitation on their infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
