Critical Vulnerability in Imunify360 AV Threatens Up to 56 Million Websites

A severe security flaw in Imunify360 AV, a malware scanner used by numerous web hosting companies, puts up to 56 million websites at risk of complete server takeover. Cybersecurity firm Patchstack recently issued an advisory warning about the vulnerability affecting unpatched versions of the security tool.

The vulnerability allows attackers to gain full control of servers and all websites hosted on them by exploiting weaknesses in both the AI-Bolit file-scanning engine and the database-scanning module. Despite a patch being available, the vendor has made no public statement about the critical security issue, raising concerns about affected websites remaining vulnerable.

How the vulnerability works

The vulnerability in Imunify360 AV exists in the system's core functionality—its ability to deobfuscate and scan complex code. Ironically, the very mechanism designed to detect malicious code becomes the pathway for exploitation.

Attackers can embed specially crafted obfuscated PHP code that matches Imunify360's deobfuscation signatures. When the scanner attempts to deobfuscate this code, it executes the extracted functions on attacker-controlled data, allowing arbitrary system commands or PHP code execution.

"Remote attackers can embed specifically crafted obfuscated PHP that matches imunify360AV (AI-bolit) deobfuscation signatures," Patchstack explained in their advisory. "The deobfuscator will execute extracted functions on attacker-controlled data, allowing execution of arbitrary system commands or arbitrary PHP code."

What makes this vulnerability particularly dangerous is its dual attack vectors. Initially, researchers discovered the flaw in the file scanner, but later found the database-scanning module was vulnerable in exactly the same way. This provides attackers with two separate paths to compromise servers.

The severity is amplified by the scanner's default configuration, which typically runs with root privileges. As Patchstack notes, "On shared hosting, successful exploitation can lead to privilege escalation and root access depending on how the scanner is deployed and its privileges."

Why exploitation is concerning

The database scanner vulnerability represents the more accessible attack path. Unlike the file scanner vulnerability, which requires attackers to place malicious files on the server, the database scanner vulnerability only requires the ability to write to a database—a common capability on shared hosting platforms.

This makes exploitation significantly easier, as attackers can inject malicious content through:

• Comment forms
• Contact forms
• Profile fields
• Search logs

This broader attack surface turns ordinary user inputs into potential vulnerability vectors for remote code execution, without requiring authentication. The combination of easy exploitation and high-level privileges explains Patchstack's high severity rating of 9.9 on the CVSS scale.

Understanding this vulnerability is crucial for maintaining comprehensive website security protection against evolving threats, especially for businesses operating on shared hosting platforms.

Technical details of the vulnerability

For those interested in the technical aspects, this vulnerability falls into the category of "code injection via deobfuscation process." When the scanner attempts to decipher potentially malicious code, it does so by executing parts of that code in a controlled environment. However, the vulnerability allows attackers to break out of this controlled environment and execute arbitrary commands on the host system.

According to security researchers at OWASP, code injection vulnerabilities like this one are particularly dangerous because they can lead to complete system compromise. The vulnerability exists in both the file scanning component and the database scanning module, creating multiple attack vectors for potential exploitation.

Vendor response and disclosure timeline

Perhaps most concerning about this vulnerability is the lack of public acknowledgment from CloudLinux, the company behind Imunify360 AV. According to Patchstack, the vulnerability has been known since late October, with customers beginning to receive notifications shortly thereafter.

While a patch has been issued (version 32.7.4.0), no public statement has been released by Imunify360's team, and no Common Vulnerabilities and Exposures (CVE) identifier has been assigned. This lack of formal disclosure is particularly problematic since information about the vulnerability has been publicly available on the company's Zendesk support platform since November 4, 2025.

The absence of a CVE—a standardized identifier used to catalog vulnerabilities—means many users and potential customers may remain unaware of the risk, even though the issue is documented in Imunify360's support system.

This situation highlights the importance of implementing a structured vulnerability management process in organizational cybersecurity strategies to stay ahead of potential threats, even when vendors delay public disclosure.

Timeline of events

For clarity, here's a chronological breakdown of the discovery and response to this vulnerability:

• Late October 2025: Vulnerability discovered and reported to CloudLinux
• Early November 2025: Patch developed and released (version 32.7.4.0)
• November 4, 2025: Information about the vulnerability published on Imunify360's Zendesk
• Present: No CVE assigned, no public statement from CloudLinux

This delayed and incomplete disclosure process has left many system administrators in the dark about whether their systems are affected and what actions they should take.

Recommendations for website owners and administrators

For those running servers with Imunify360 AV installed, Patchstack recommends several immediate actions:

1. Apply vendor security updates if running Imunify360 AV (AI-bolit) prior to version 32.7.4.0
2. Remove the tool entirely if patching is not immediately possible
3. If immediate patching isn't feasible, restrict the tool's execution environment, such as running it in an isolated container with minimal privileges
4. Contact CloudLinux/Imunify360 support to report potential exposure and confirm if their environment was affected

Website owners should also check with their hosting providers to verify if they use Imunify360 AV and whether it has been updated to the patched version.

Additional preventative measures

Beyond addressing this specific vulnerability, website owners should consider these additional security measures:

• Implement strict input validation: Ensure all user inputs are thoroughly sanitized and validated before processing
• Deploy file integrity monitoring: Set up tools to detect unauthorized changes to website files
• Configure least privilege access: Ensure all components run with the minimum necessary permissions
• Implement a web application firewall: Add an extra layer of protection against common web attacks

Understanding why cybersecurity is critically important for modern businesses can help organizations prioritize these protective measures effectively.

Implications for the hosting industry

This vulnerability highlights the double-edged sword of security tools in the web hosting ecosystem. Tools designed to protect can themselves become attack vectors when vulnerabilities are discovered—a scenario reminiscent of the 2021 SolarWinds breach that affected thousands of organizations worldwide.

The situation serves as a reminder that in the "Matrix"-like digital landscape we inhabit, sometimes the very systems designed as protection can become the greatest vulnerabilities when compromised or exploited.

For hosting companies, this incident underscores the importance of having layered security approaches that don't rely exclusively on a single tool or vendor. It also emphasizes the need for robust vulnerability management programs that can quickly respond to and mitigate newly discovered flaws.

Long-term industry impact

This incident may have several lasting effects on the hosting security industry:

1. Increased scrutiny of security tools: Hosting providers may implement more rigorous evaluation processes for security software
2. Push for better disclosure practices: The community may demand more transparent vulnerability disclosure processes from security vendors
3. Greater emphasis on defense-in-depth strategies: Organizations may move away from relying on single security solutions

These changes could ultimately strengthen the overall security posture of the hosting industry, albeit at the cost of this significant vulnerability exposure.

How to protect your website

While website owners often have limited control over hosting-level security tools, there are several steps they can take to minimize potential impact:

• Implement strong input validation on all user-submitted content
• Regularly back up website files and databases
• Monitor website files for unexpected changes
• Use a web application firewall (WAF) as an additional security layer
• Keep all website software, plugins, and themes updated

By implementing these measures, website owners can add extra protection layers even if server-level vulnerabilities exist.

The Imunify360 AV vulnerability serves as an important reminder that cybersecurity requires vigilance at all levels, from server infrastructure to individual website components. As digital threats continue to evolve, a proactive and layered approach to security becomes increasingly essential for all online businesses.