A severe remote code execution vulnerability in Imunify360 AV has been patched, affecting a security tool that protects around 56 million Linux-hosted websites. Discovered in the product's deobfuscation logic, the flaw allows attackers to execute arbitrary commands and potentially seize control of hosting servers. CloudLinux released a fix on October 21, 2025, though no formal CVE or advisory followed.
Imunify360 AV, also known as AI-Bolit, is a malware scanner widely used to safeguard websites from threats. Security researchers from Patchstack identified a critical remote code execution (RCE) flaw in versions prior to 32.7.4.0. The vulnerability stems from flawed deobfuscation logic that analyzes malicious PHP code, enabling attackers to craft specially encoded files that trigger harmful functions during scanning.
These functions include system(), exec(), shell_exec(), passthru(), and eval(), allowing arbitrary command execution. Since the scanner runs with root privileges by default, exploitation can lead to full server takeover. This risk is amplified in shared hosting environments, where compromising one website could grant access to all sites on the server through lateral movement.
The issue affects deobfuscation enabled across all scan types, including background, on-demand, and rapid account scans. Two specific code flows are problematic: the Eval-Hex pattern, which matches hex-encoded function names, and the Delta/Ord flow, which processes strings via Helpers::executeWrapper without safety checks. Attackers employ advanced obfuscation techniques, such as hex escapes, packed payloads, base64/gzinflate chains, and custom transformations, to evade initial detection until deobfuscation occurs.
Details of the vulnerability emerged in late October 2025, with exploitation information circulating around that time. CloudLinux patched it on October 21, 2025, and documented it quietly on their Zendesk support page on November 4, 2025. No CVE identifier has been assigned, and the company has not issued a formal security advisory. The estimated CVSS score is 8.2, underscoring its severity. This marks the second critical RCE in Imunify360, following a 2021 incident reported by Talos Intelligence.
Hosting providers are urged to upgrade to version 32.7.4.0 or later immediately and perform forensic investigations for signs of compromise. If patching is delayed, administrators should isolate the scanner in containers with minimal privileges and no network access. Contacting CloudLinux support is recommended for verification and guidance.