A vulnerability affecting Imunify360 lets attackers run code via malicious file uploads, risking millions of websites.
A vulnerability in ImunifyAV/Imunify360 allows attackers to upload malicious files to shared servers and execute arbitrary code, potentially exposing millions of websites, cybersecurity firm Patchstack warns.
The flaw in Imunify360 AV before v32.7.4.0 lets attacker‑supplied malware trigger dangerous PHP calls, enabling remote code execution and full server compromise.
“Recently a remote code execution via malware execution vector was discovered in the imunify360AV (AI-bolit) version prior to v32.7.4.0. The vulnerability stems from the deobfuscation logic executing untrusted functions and payloads extracted from attacker supplied malware.” reads the report published by Patchstack. “An attacker-controlled payload can cause the deobfuscator to call dangerous PHP functions (for example system, exec, shell_exec, passthru, eval, etc.), resulting in arbitrary command execution and full compromise of the hosting environment.”
Imunify360 is an all-in-one server security platform developed by CloudLinux. It focuses on protecting shared, VPS, and dedicated hosting servers by combining multiple defensive layers. The cybersecurity solution currently protects over 56 million websites.
Remote attackers can craft obfuscated PHP that mimics Imunify360AV (AI-Bolit) deobfuscation patterns, causing the scanner to execute attacker‑controlled functions and system commands.
“The exploit requires the imunify360AV scanner to perform active deobfuscation during analysis. In practice this means running the scanner with the -y / –deobfuscate option enabled. Example invocation used during triage” states the report.
This enables arbitrary code execution, leading to website compromise or full server takeover, especially since the scanner often runs as a root‑privileged service.
“Remote attackers can embed specifically crafted obfuscated PHP that matches imunify360AV (AI-bolit) deobfuscation signatures.” continues the report. “The deobfuscator will execute extracted functions on attacker-controlled data, allowing execution of arbitrary system commands or arbitrary PHP code. Impact ranges from website compromise to full server takeover depending on hosting configuration and privileges.”
The researchers warn that detection is difficult because payloads use layered obfuscation formats. In shared hosting, exploitation may allow privilege escalation and potentially full host control.
The bad news is there has been no statement released about the flaw by Imunify360, and no CVE has yet been assigned. Patchstack researchers pointed out that the issue has been publicly available on CloudLinux’s Zendesk since November 4, 2025.
“A critical security vulnerability has been identified in the AI-Bolit before v32.7.4.0.” reads the advisory.
The flaw impacts the following solutions:
- Imunify360
- ImunifyAV+
- ImunifyAV
According to the advisory, CloudLinux fixed the vulnerability on October 21, 2025.
It’s unclear whether the vulnerability has been actively exploited in the wild.
Patchstack released technical details and a PoC exploit, recommending hosting providers to check for potential compromises.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Imunify360)