A vital vulnerability was lately found in Imunify360 AV, a safety scanner utilized by website hosting firms to guard over 56 million web sites. An advisory by cybersecurity firm Patchstack warns that the vulnerability can permit attackers to take full management of the server and each web site on it.
Imunify360 AV
Imunify360 AV is a malware scanning system utilized by a number of internet hosting firms. The vulnerability was found inside its AI-Bolit file-scanning engine and inside the separate database-scanning module. As a result of each the file and database scanners are affected, attackers can compromise the server via two paths, which may permit full server takeover and probably put hundreds of thousands of internet sites in danger.
Patchstack shared particulars of the potential impression:
“Distant attackers can embed particularly crafted obfuscated PHP that matches imunify360AV (AI-bolit) deobfuscation signatures. The deobfuscator will execute extracted capabilities on attacker-controlled information, permitting execution of arbitrary system instructions or arbitrary PHP code. Affect ranges from web site compromise to full server takeover relying on internet hosting configuration and privileges.
Detection is non-trivial as a result of the malicious payloads are obfuscated (hex escapes, packed payloads, base64/gzinflate chains, customized delta/ord transformations) and are meant to be deobfuscated by the instrument itself.
imunify360AV (Ai-Bolit) is a malware scanner specialised in website-related information like php/js/html. By default, the scanner is put in as a service and works with a root privileges
Shared internet hosting escalation: On shared internet hosting, profitable exploitation can result in privilege escalation and root entry relying on how the scanner is deployed and its privileges. if imunify360AV or its wrapper runs with elevated privileges an attacker might leverage RCE to maneuver from a single compromised web site to finish host management.”
Patchstack reveals that the scanner’s personal design provides attackers each the strategy of entry and the mechanism for execution. The instrument is constructed to deobfuscate advanced payloads, and that functionality turns into the explanation the exploit works. As soon as the scanner decodes attacker-supplied capabilities, it may run them with the identical privileges it already has.
In environments the place the scanner operates with elevated entry, a single malicious payload can transfer from a website-level compromise to manage of your entire internet hosting server. This connection between deobfuscation, privilege degree, and execution explains why Patchstack classifies the impression as ranging as much as full server takeover.
Two Susceptible Paths: File Scanner and Database Scanner
Safety researchers initially found a flaw within the file scanner, however the database-scanning module was later discovered to be susceptible in the identical manner. In accordance with the announcement: “the database scanner (imunify_dbscan.php) was additionally susceptible, and susceptible in the very same manner.” Each of the malware scanning parts (file and database scanners) cross malicious code into Imunify360’s inner routines that then execute the untrusted code, giving attackers two alternative ways to set off the vulnerability.
Why The Vulnerability Is Straightforward To Exploit
The file-scanner a part of the vulnerability required attackers to put a dangerous file onto the server in a location that Imunify360 would ultimately scan. However the database-scanner a part of the vulnerability wants solely the power to write down to the database, which is frequent on shared internet hosting platforms.
As a result of remark types, contact types, profile fields, and search logs can write information to the database, injecting malicious content material turns into straightforward for an attacker, even with out authentication. This makes the vulnerability broader than a standard malware-execution flaw as a result of it turns a standard person enter right into a vulnerability vector for distant code execution.
Vendor Silence And Disclosure Timeline
In accordance with Patchstack, a patch has been issued by Imunify360 AV however no public assertion has been made in regards to the vulnerability and no CVE has been issued for it. A CVE (Widespread Vulnerabilities and Exposures) is a novel identifier assigned to a selected vulnerability in software program. It serves as a public file and supplies a standardized option to catalog a vulnerability in order that events are made conscious of the flaw, significantly for danger administration. If no CVE is issued then customers and potential customers could not study in regards to the vulnerability, despite the fact that the difficulty is already publicly listed on Imunify360’s Zendesk.
Patchstack explains:
“This vulnerability has been recognized since late October, and clients started receiving notifications shortly thereafter, and we advise affected internet hosting suppliers to succeed in out to the seller for added info on doable exploitation within the wild or any inner investigation outcomes.
Sadly there was no assertion launched in regards to the difficulty by Imunify360’s workforce, and no CVE has but been assigned. On the similar time, the difficulty has been publicly out there on their Zendesk since November 4, 2025.
Based mostly on our overview of this vulnerability , we think about the CVSS rating to be: 9.9”
Really useful Actions for Directors
Patchstack recommends that server directors instantly apply vendor safety updates if working Imunify360 AV (AI-bolit) previous to model 32.7.4.0, or take away the instrument if patching shouldn’t be doable. If a right away patch can’t be utilized, the instrument’s execution setting ought to be restricted, akin to working it in an remoted container with minimal privileges. All directors are additionally urged to contact CloudLinux / Imunify360 assist to report potential publicity, verify if their setting was affected, and to collaborate on post-incident steerage.
Featured Picture by Shutterstock/DC Studio
