A extreme distant code execution (RCE) vulnerability has been found in Imunify360 AV, a broadly used malware scanner defending roughly 56 million web sites.
The safety flaw, just lately patched by CloudLinux, permits attackers to execute arbitrary instructions and probably take full management of internet hosting servers.
Patchstack researchers found a flaw in Imunify360 AV’s deobfuscation logic used to investigate malicious PHP code.
Imunify360 AV RCE Vulnerability
Attackers can create specifically encoded PHP information that mislead the scanner into executing dangerous features, comparable to system(), exec(), or eval(), throughout evaluation.
As a result of the scanner sometimes runs with root privileges, profitable exploitation may end up in an entire server takeover.
The Patchstack evaluation highlights a regarding flaw: deobfuscation is robotically enabled within the default configuration of Imunify360 AV for all scan varieties.
AttributeDetailsVulnerability TypeRemote Code Execution (RCE)Product AffectedImunify360 AV (AI-Bolit)Affected VersionsPrior to v32.7.4.0Patched Versionv32.7.4.0 and later
Together with background scans, on-demand scans, and fast account scans. This implies susceptible programs are constantly in danger at any time when the scanner operates. On shared internet hosting environments, this vulnerability poses distinctive hazard.
Attackers who compromise a single web site can escalate privileges to realize root entry, compromising each web site and buyer on the identical server.
This lateral motion functionality makes the vulnerability particularly extreme for internet hosting suppliers serving a number of shoppers. CloudLinux launched a patch on October 21, 2025, however has notably not issued a proper CVE task or safety advisory.
Details about the vulnerability appeared on their Zendesk help web page on November 4, 2025, despite the fact that exploitation particulars had been circulating since late October.
Patchstack consultants suggest internet hosting firms not solely patch instantly but in addition examine whether or not their servers have already been compromised.
Internet hosting firms ought to improve to Imunify360 AV model 32.7.4.0 or later directly and conduct forensic checks for indicators of exploitation on their infrastructure.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
