A critical Remote Code Execution (RCE) vulnerability (CVSS 8.2) was discovered in Imunify360 AV (AI-Bolit) before v32.7.4.0, a security product protecting ~56 million websites globally. The flaw stems from unsafe deobfuscation logic that executes malicious PHP functions (e.g., `system()`, `exec()`, `eval()`) when processing attacker-crafted malware samples. Exploitation allows arbitrary command execution, leading to full server compromise especially severe in shared hosting environments where Imunify360 often runs with root privileges.The vulnerability, disclosed quietly via Zendesk (November 2025) without a CVE or formal advisory, enables attackers to bypass detection via obfuscation techniques (hex escapes, base64/gzinflate chains). Successful attacks could escalate from a single website to complete host takeover, disrupting services for millions. CloudLinux (the vendor) has not issued public warnings beyond a support portal update, leaving many administrators unaware. Immediate patching or mitigation (e.g., isolated containers) is critical to prevent mass exploitation. This marks the second critical RCE in Imunify360 since 2021, highlighting systemic risks in its deobfuscation engine.
Source: https://gbhackers.com/critical-imunify360-vulnerability/
TPRM report: https://www.rankiteo.com/company/cloudlinux
"id": "clo5132451111425",
"linkid": "cloudlinux",
"type": "Vulnerability",
"date": "6/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Approximately 56 million '
'websites worldwide (indirectly '
'via hosting providers)',
'industry': 'Cybersecurity / Web Hosting Security',
'name': 'CloudLinux (Imunify360)',
'type': 'Vendor'},
{'industry': 'Web Hosting',
'location': 'Global',
'name': 'Hosting providers using Imunify360 AV',
'type': 'Service Provider'}],
'attack_vector': ['Network', 'Malicious File Processing'],
'customer_advisories': ['Hosting providers urged to apply patches immediately',
'Administrators advised to contact CloudLinux support '
'for exposure verification'],
'date_detected': 'late October 2024',
'date_publicly_disclosed': '2025-11-04',
'description': 'A critical Remote Code Execution (RCE) vulnerability was '
'discovered and patched in Imunify360 AV, a security product '
'protecting approximately 56 million websites worldwide. The '
'flaw originates from the deobfuscation logic in versions '
'before v32.7.4.0, which executes untrusted functions and '
'payloads extracted from attacker-supplied malware samples. '
'Successful exploitation could lead to arbitrary command '
'execution, individual website compromise, or complete server '
'takeover, depending on hosting configurations and privilege '
'levels. The vulnerability was quietly documented on '
'Imunify360’s Zendesk support portal on November 4, 2025, with '
'an estimated CVSS severity score of 8.2. CloudLinux, the '
'vendor, has not issued a formal security advisory or CVE '
'disclosure.',
'impact': {'brand_reputation_impact': ['Potential loss of trust due to lack '
'of formal disclosure',
'Second critical RCE vulnerability in '
'Imunify360 (following 2021 incident)'],
'operational_impact': ['Potential complete server takeover',
'Privilege escalation from single website '
'to host control',
'Arbitrary command execution'],
'systems_affected': ['Web servers running Imunify360 AV (versions '
'before v32.7.4.0)',
'Shared hosting environments']},
'initial_access_broker': {'entry_point': ['Malicious files processed by '
'Imunify360 AV deobfuscation logic'],
'high_value_targets': ['Shared hosting environments',
'Servers with '
'root-privileged Imunify360 '
'AV services']},
'investigation_status': 'Vulnerability documented; no formal investigation '
'details disclosed',
'lessons_learned': ['Critical vulnerabilities in security products can have '
'widespread impact due to their privileged access',
'Lack of formal disclosure (CVE, advisory) can hinder '
'coordinated patching efforts',
'Default configurations (e.g., deep deobfuscation enabled '
'in Python scanner wrapper) can introduce unintended '
'risks',
'Isolation and least-privilege principles are critical '
'for mitigating impact of vulnerabilities in security '
'tools'],
'post_incident_analysis': {'corrective_actions': ['Patch to version v32.7.4.0 '
'to fix deobfuscation logic '
'flaws',
'Review and restrict '
'default privileges for '
'security scanners',
'Improve obfuscated payload '
'detection mechanisms',
'Enhance vulnerability '
'disclosure and '
'communication processes'],
'root_causes': ['Lack of function safety '
'validation in deobfuscation '
'engine (eval-hex and Delta/Ord '
'flows)',
'Automatic enabling of deep '
'deobfuscation in Python scanner '
'wrapper (overriding CLI defaults)',
'Execution of dangerous PHP '
'functions (system(), exec(), '
'shell_exec(), passthru(), eval()) '
'on attacker-controlled data',
'Default root privileges for '
'Imunify360 AV service increasing '
'escalation risks']},
'recommendations': ['Immediately patch Imunify360 AV to version v32.7.4.0 or '
'later',
'Run the scanner in isolated containers with minimal '
'privileges and no network access if patching is delayed',
'Verify server integrity for signs of compromise',
'Monitor for unusual activity in hosting environments',
'Review and harden default configurations of security '
'tools',
'Improve transparency in vulnerability disclosure '
'processes'],
'references': [{'date_accessed': '2025-11-04',
'source': 'Imunify360 Zendesk Support Portal'},
{'source': 'Talos Intelligence (2021 Imunify360 RCE '
'incident)'}],
'response': {'communication_strategy': ['Quiet documentation on Zendesk '
'support portal (no formal advisory '
'or CVE disclosure)'],
'containment_measures': ['Apply vendor-supplied security updates '
'(patch to v32.7.4.0 or later)',
'Restrict execution environment by '
'running scanner in isolated analysis '
'containers with minimal privileges and '
'no network access'],
'remediation_measures': ['Patch Imunify360 AV to version '
'v32.7.4.0 or later',
'Verify integrity of servers',
'Contact CloudLinux support for '
'post-incident guidance']},
'title': 'Critical Remote Code Execution Vulnerability in Imunify360 AV',
'type': ['Vulnerability', 'Remote Code Execution (RCE)'],
'vulnerability_exploited': 'Remote Code Execution in Imunify360 AV '
'deobfuscation logic (versions before v32.7.4.0)'}