ImunifyAV, a popular malware scanner used across millions of Linux servers, is facing a serious security issue. A remote code execution (RCE) vulnerability in its AI-Bolit scanning component exposes hosting environments to potential compromise. The flaw affects all versions prior to 32.7.4.0, and CloudLinux has urged administrators to update immediately. Although no CVE has been assigned yet, security researchers warn that this issue carries significant risk for shared hosting platforms.
A Widespread Issue Impacting Millions of Websites
ImunifyAV is widely deployed in shared hosting, cPanel/WHM servers, Plesk servers, and managed WordPress hosting plans. It runs silently in the background and protects more than 56 million websites worldwide. Additionally, there are more than 645,000 installations of Imunify360, which includes the same affected component.
Because the product is usually installed at the hosting platform level, many website owners are unaware of its presence. That makes timely patching critical, as the vulnerability lies deep within automated malware-scanning processes that run without user interaction.
How the Vulnerability Works
The issue stems from AI-Bolit’s deobfuscation logic, designed to unpack and analyze suspicious PHP files. During this phase, the tool uses call_user_func_array without validating function names. This oversight allows attackers to trigger dangerous PHP functions such as:
systemexecshell_execpassthrueval
If exploited, the scanner itself becomes the attack vector, enabling remote code execution at the hosting environment level.
Patchstack researchers note that exploitation requires active deobfuscation. Although this feature is disabled by default in the standalone AI-Bolit CLI, it is forced on in Imunify360 during background scans, rapid scans, and user-initiated scans. This configuration significantly increases the attack surface.
Proof of Concept and Vendor Response
Researchers shared a proof-of-concept that involves placing a crafted PHP file inside the system’s temporary directory. When ImunifyAV scans this file, it triggers RCE automatically.
CloudLinux’s fix introduces a allowlisted function mechanism to ensure only safe commands execute during deobfuscation. This approach prevents arbitrary function calls and blocks the exploit.
Despite the critical nature of the vulnerability, CloudLinux has not provided detailed detection or compromise-checking instructions. Moreover, there is no confirmation of active exploitation at this time.
Urgent Recommendation for Administrators
System administrators should update ImunifyAV, ImunifyAV+, or Imunify360 to version 32.7.4.0 or newer as soon as possible. Given the widespread deployment across hosting environments, the potential impact is high. Patchstack also reported new findings on November 16, revealing an even easier exploitation vector that does not require uploading malware.
Until more guidance becomes available, updating remains the most effective mitigation.