Irony Alert: ImunifyAV Malware Scanner Vulnerable to Remote Code Execution (RCE)
A flaw has been uncovered in the Linux-hosting ecosystem: the ImunifyAV malware scanner has been found vulnerable to remote code execution (RCE). The issue affects the AI-Bolit component embedded within Imunify360, the paid ImunifyAV+, and the free ImunifyAV. A patch was released in late October, yet the vulnerability has still not been assigned an identifier, nor have any guidelines been published for detecting signs of compromise.
Patchstack disclosed the defect. According to the company, the weakness lies in the logic used to unpack obfuscated PHP files during the analysis of suspicious content. AI-Bolit invoked PHP functions extracted from these obfuscated files without validating whether such calls were permissible. Because the scanner relied on call_user_func_array without filtering function names, it enabled the execution of arbitrary system-level functions—including system, exec, shell_exec, passthru, eval, and others. This created an entry point for sophisticated attacks capable of hijacking a website and, if the scanner possessed elevated privileges, potentially seizing control of the entire machine.
Although the standalone version of AI-Bolit has its active deobfuscation feature disabled, its integration within Imunify360 enforces this mechanism by default. It is enabled across background analysis, on-demand scans, user-initiated checks, and accelerated scanning modes, providing ample conditions for exploitation. Patchstack demonstrated a working proof-of-concept: an attacker need only place a specially crafted PHP file in a temporary directory, after which the scanner, during parsing, will execute the malicious command.
ImunifyAV’s widespread adoption makes the issue particularly far-reaching: the toolset is embedded in the cPanel/WHM control panel, heavily used across Plesk servers, and generally present on any hosting environment protected by Imunify360. According to company data from October 2024, the suite operates quietly behind the scenes of 56 million websites, with over 645,000 installations of Imunify360.
CloudLinux announced the release of patches and urged administrators to upgrade to version 32.7.4.0, including older Imunify360 AV deployments that received backported fixes on 10 November. The new release implements a whitelist of safe functions, blocking any execution of external PHP code during deobfuscation. Even so, the company has not yet published guidance on identifying potential compromises, nor confirmed any instances of active exploitation.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
