Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
UtiliaCS 320x100
Banner Desktop
A bug in ImunifyAV antivirus leads to RCE. 56 million sites at risk.

A bug in ImunifyAV antivirus leads to RCE. 56 million sites at risk.

Redazione RHC : 14 November 2025 13:38

A vulnerability has been discovered in the Linux hosting ecosystem : the ImunifyAV malware scanner has been found to be vulnerable to remote code execution (RCE).

The issue affects the AI-Bolit component integrated into Imunify360 , the paid version ImunifyAV+, and the free version ImunifyAV. A fix was released at the end of October, but the vulnerability has not yet been identified , and there are no recommendations for scanning for signs of hacking.

Patchstack has published information about the flaw in question. According to the company, the flaw lies in the logic used to unpack obfuscated PHP files while analyzing suspicious content. AI-Bolit called PHP functions extracted from obfuscated files without checking their validity. Using the call_user_func_array construct without name filtering, it executed arbitrary system-level functions, exec, shell_exec, passthru , eval , and others. This created a platform on the server for sophisticated attacks capable of taking control of the website and, with advanced scanning privileges , potentially gaining control over the entire machine.

Although active deobfuscation is disabled in the standalone version of AI-Bolit, integrating the scanner with Imunify360 enables it. This applies to background scanning, on-demand scanning, user-defined scans, and accelerated scans, creating the necessary conditions for exploitation. Patchstack demonstrated a working example: simply create a pre-configured PHP file in a temporary directory . After analyzing this object, the scanner will execute a malicious command .

The popularity of ImunifyAV makes the problem widespread: the solution is integrated into the cPanel/WHM control panel, is actively used in server installations, and is present on any standard hosting with Imunify360 protection. According to the company’s data from October 2024, this suite of tools operates silently behind the scenes on 56 million websites , and the number of Imunify360 installations exceeds 645,000.

CloudLinux announced the patch release and recommended that administrators update to version 32.7.4.0, including older Imunify360 AV installations, to which the patches were migrated on November 10.

The new version implements a whitelist of safe functions that prevents the execution of unauthorized PHP code during the deobfuscation process. However, the company has not yet provided instructions for identifying potential compromises, nor has it confirmed the presence of any active attacks.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli