A critical vulnerability was discovered in the AI-Bolit component of Imunify security products, raising concerns across the web hosting and Linux server communities.
This flaw could let attackers execute arbitrary code and escalate their privileges to root, risking the integrity of millions of servers worldwide.
Imunify, a security platform widely used on web hosting servers, released an advisory regarding a security weakness in its AI-Bolit malware scanner.
The vulnerability was found in the deobfuscation logic of AI-Bolit, specifically in functions that analyze potentially malicious code during scans.
If exploited, a hacker could craft a file or database entry containing code that tricks the scanner into running attacker-controlled PHP functions.
Affected products include Imunify360, ImunifyAV+, and ImunifyAV, specifically older versions before 32.7.4-1. This left many web servers temporarily exposed to attacks that could result in total server compromise.
The vulnerability was reported to Imunify through responsible disclosure by researcher Aleksejs Popovs. Imunify reacted quickly, creating and releasing a security patch on October 23, 2025.
This patch introduced a strict allowlist of safe functions, preventing the deobfuscator from executing potentially dangerous PHP functions supplied by attackers.
The vast majority of Imunify servers were automatically updated with the fix by November 17, 2025.
So far, the company reports no evidence that the flaw has been abused in the wild, and no suspicious activity has been detected by customers.
Technical Details
In the affected versions, the deobfuscation functions deobfuscateDeltaOrd and deobfuscateEvalHexFunc in ai-bolit-hoster.php called Helpers::executeWrapper().
This function ran strings from scanned files as PHP code without proper filtering, leaving the door open to arbitrary code execution.
Attackers could exploit two primary vectors: file scanning and database scanning. The patch closed both.
All users should upgrade the AI-Bolit package to version 32.7.4-1 or newer. For CentOS 6, a backported fix is available as 32.1.10-2.32.7.4.
If you cannot upgrade immediately, Imunify recommends turning off all file scans (scheduled, real-time, FTP scans, and ModSecurity uploads) until the patch is applied.
You can set configuration options like enable_scan_pure_ftpd: False and scan_modified_files: False to deactivate scanning. Alternatively, restrict scans to trusted users only.
Imunify stresses its responsibility to prioritize customer security. Their protocol involves silently deploying patches before public disclosure to avoid helping attackers.
Customers are urged to keep auto-updates enabled to ensure rapid protection against future threats.
Imunify credits Aleksejs Popovs for responsibly reporting the flaw and helping coordinate the disclosure process. A CVE identifier for this vulnerability is pending.
This incident underscores the importance of prompt patching and security hygiene in web hosting environments. AI-Bolit’s flaw is a reminder that even security tools can pose risks if not kept up to date and closely monitored.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.