A critical vulnerability was recently discovered in Imunify360 AV, a security scanner used by web hosting companies to protect over 56 million websites. An advisory by cybersecurity company Patchstack warns that the vulnerability can allow attackers to take full control of the server and every website on it.
Imunify360 AV
Imunify360 AV is a malware scanning system used by multiple hosting companies. The vulnerability was discovered within its AI-Bolit file-scanning engine and within the separate database-scanning module. Because both the file and database scanners are affected, attackers can compromise the server through two paths, which can allow full server takeover and potentially put millions of websites at risk.
Patchstack shared details of the potential impact:
“Remote attackers can embed specifically crafted obfuscated PHP that matches imunify360AV (AI-bolit) deobfuscation signatures. The deobfuscator will execute extracted functions on attacker-controlled data, allowing execution of arbitrary system commands or arbitrary PHP code. Impact ranges from website compromise to full server takeover depending on hosting configuration and privileges.
Detection is non-trivial because the malicious payloads are obfuscated (hex escapes, packed payloads, base64/gzinflate chains, custom delta/ord transformations) and are intended to be deobfuscated by the tool itself.
imunify360AV (Ai-Bolit) is a malware scanner specialized in website-related files like php/js/html. By default, the scanner is installed as a service and works with a root privileges
Shared hosting escalation: On shared hosting, successful exploitation can lead to privilege escalation and root access depending on how the scanner is deployed and its privileges. if imunify360AV or its wrapper runs with elevated privileges an attacker could leverage RCE to move from a single compromised site to complete host control.”
Patchstack shows that the scanner’s own design gives attackers both the method of entry and the mechanism for execution. The tool is built to deobfuscate complex payloads, and that capability becomes the reason the exploit works. Once the scanner decodes attacker-supplied functions, it can run them with the same privileges it already has.
In environments where the scanner operates with elevated access, a single malicious payload can move from a website-level compromise to control of the entire hosting server. This connection between deobfuscation, privilege level, and execution explains why Patchstack classifies the impact as ranging up to full server takeover.
Two Vulnerable Paths: File Scanner and Database Scanner
Security researchers initially discovered a flaw in the file scanner, but the database-scanning module was later found to be vulnerable in the same way. According to the announcement: “the database scanner (imunify_dbscan.php) was also vulnerable, and vulnerable in the exact same way.” Both of the malware scanning components (file and database scanners) pass malicious code into Imunify360’s internal routines that then execute the untrusted code, giving attackers two different ways to trigger the vulnerability.
Why The Vulnerability Is Easy To Exploit
The file-scanner part of the vulnerability required attackers to place a harmful file onto the server in a location that Imunify360 would eventually scan. But the database-scanner part of the vulnerability needs only the ability to write to the database, which is common on shared hosting platforms.
Because comment forms, contact forms, profile fields, and search logs can write data to the database, injecting malicious content becomes easy for an attacker, even without authentication. This makes the vulnerability broader than a normal malware-execution flaw because it turns a common user input into a vulnerability vector for remote code execution.
Vendor Silence And Disclosure Timeline
According to Patchstack, a patch has been issued by Imunify360 AV but no public statement has been made about the vulnerability and no CVE has been issued for it. A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a specific vulnerability in software. It serves as a public record and provides a standardized way to catalog a vulnerability so that interested parties are made aware of the flaw, particularly for risk management. If no CVE is issued then users and potential users may not learn about the vulnerability, even though the issue is already publicly listed on Imunify360’s Zendesk.
Patchstack explains:
“This vulnerability has been known since late October, and customers began receiving notifications shortly thereafter, and we advise affected hosting providers to reach out to the vendor for additional information on possible exploitation in the wild or any internal investigation results.
Unfortunately there has been no statement released about the issue by Imunify360’s team, and no CVE has yet been assigned. At the same time, the issue has been publicly available on their Zendesk since November 4, 2025.
Based on our review of this vulnerability , we consider the CVSS score to be: 9.9”
Recommended Actions for Administrators
Patchstack recommends that server administrators immediately apply vendor security updates if running Imunify360 AV (AI-bolit) prior to version 32.7.4.0, or remove the tool if patching is not possible. If an immediate patch cannot be applied, the tool’s execution environment should be restricted, such as running it in an isolated container with minimal privileges. All administrators are also urged to contact CloudLinux / Imunify360 support to report potential exposure, confirm if their environment was affected, and to collaborate on post-incident guidance.
Featured Image by Shutterstock/DC Studio
