By rssfeeds-admin Hosting companies must apply the security patch immediately to prevent potential server compromises and unauthorized access.
The vulnerability details emerged in late October 2024, prompting urgent recommendations for affected hosting providers to verify the integrity of their servers.
Despite the severity of the issue affecting millions of websites, Imunify360’s parent company, CloudLinux, has not issued an official security advisory.
The issue was quietly documented on their Zendesk support portal on November 4, 2025, with an estimated CVSS severity score of 8.2.
Vulnerability Overview
Security researchers identified a remote code execution flaw in Imunify360 AV (AI-Bolit) versions before v32.7.4.0.
The vulnerability originates from flawed deobfuscation logic that processes untrusted functions and payloads extracted from attacker-supplied malware samples.
When processing malicious files, the deobfuscator can invoke dangerous PHP functions, including system(), exec(), shell_exec(), passthru(), and eval(), enabling arbitrary command execution and complete compromise of the hosting environment.
Attackers can embed specially crafted obfuscated PHP code that triggers the deobfuscation signatures, allowing execution of attacker-controlled data.
The vulnerability exists in two problematic code flows within the deobfuscation engine:
- Eval-Hex Function Pattern: Matches obfuscated code containing hex-encoded function names
- Delta/Ord Flow: Processes strings through Helpers::executeWrapper without validating function safety
Detection is particularly challenging because malicious payloads use advanced obfuscation techniques, such as hex escapes, packed payloads, base64/gzinflate chains, and custom transformations, designed to bypass detection until deobfuscated.
By default, Imunify360 AV runs with root privileges, creating severe escalation risks on shared hosting environments.
Successful exploitation could escalate from a single compromised website to complete host control.
Administrators running Imunify360 AV versions before v32.7.4.0 must immediately apply vendor-supplied security updates.
If immediate patching is impossible, restrict the execution environment by running the scanner in isolated analysis containers with minimal privileges and no network access.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Imunify360 AV Critical Flaw Exposes 56M Linux Websites to Remote Code Execution appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.