{"id":8449,"date":"2025-11-14T10:03:43","date_gmt":"2025-11-14T10:03:43","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/14\/critical-imunify360-av-vulnerability-exposes-56-million-linux-hosted-websites-to-rce-attacks\/"},"modified":"2025-11-14T10:03:43","modified_gmt":"2025-11-14T10:03:43","slug":"critical-imunify360-av-vulnerability-exposes-56-million-linux-hosted-websites-to-rce-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/14\/critical-imunify360-av-vulnerability-exposes-56-million-linux-hosted-websites-to-rce-attacks\/","title":{"rendered":"Critical Imunify360 AV Vulnerability Exposes 56 Million+ Linux-hosted Websites to RCE Attacks"},"content":{"rendered":"

Critical Imunify360 AV Vulnerability Exposes 56 Million+ Linux-hosted Websites to RCE Attacks
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A severe remote code execution (RCE) vulnerability has been discovered in Imunify360 AV, a widely used malware scanner<\/a> protecting approximately 56 million websites.<\/p>\n

The security flaw, recently patched by CloudLinux, allows attackers to execute arbitrary commands and potentially take complete control of hosting servers.<\/p>\n

Patchstack researchers discovered a flaw in Imunify360 AV\u2019s deobfuscation logic used to analyze malicious PHP code.<\/p>\n

\nImunify360 AV RCE<\/strong> Vulnerability<\/strong>
\n<\/h2>\n

Attackers can create specially encoded PHP files that mislead the scanner into executing harmful functions, such as system(), exec(), or eval(), during analysis.<\/p>\n

Because the scanner typically runs with root privileges, successful exploitation can result in a complete server takeover.<\/p>\n

The Patchstack analysis highlights a concerning flaw: deobfuscation is automatically enabled in the default configuration of Imunify360 AV for all scan types.<\/p>\n

\n\n\n\n\n\n\n\n\n
Attribute<\/th>\nDetails<\/th>\n<\/tr>\n<\/thead>\n
Vulnerability Type<\/td>\nRemote Code Execution (RCE)<\/td>\n<\/tr>\n
Product Affected<\/td>\nImunify360 AV (AI-Bolit)<\/td>\n<\/tr>\n
Affected Versions<\/td>\nPrior to v32.7.4.0<\/td>\n<\/tr>\n
Patched Version<\/td>\nv32.7.4.0 and later<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Including background scans, on-demand scans, and rapid account scans. This means vulnerable systems are continuously at risk whenever the scanner operates. On shared hosting environments, this vulnerability poses exceptional danger.<\/p>\n

Attackers who compromise a single website can escalate privileges to gain root access, compromising every website and customer on the same server.<\/p>\n

This lateral movement capability makes the vulnerability especially severe for hosting providers serving multiple clients. CloudLinux released a patch on October 21, 2025, but has notably not issued a formal CVE assignment or security advisory<\/a>.<\/p>\n

Information about the vulnerability appeared on their Zendesk support page on November 4, 2025, even though exploitation details had been circulating since late October.<\/p>\n

Patchstack experts recommend hosting companies not only patch immediately but also investigate whether their servers have already been compromised.<\/p>\n

Hosting companies should upgrade to Imunify360 AV version 32.7.4.0 or later without delay and conduct forensic checks for signs of exploitation on their infrastructure.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Critical Imunify360 AV Vulnerability Exposes 56 Million+ Linux-hosted Websites to RCE Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical Imunify360 AV Vulnerability Exposes 56 Million+ Linux-hosted Websites to RCE Attacks A severe remote code execution (RCE) vulnerability has been discovered in Imunify360 AV, a widely used malware scanner protecting approximately 56 million websites. The security flaw, recently patched by CloudLinux, allows attackers to execute arbitrary commands and potentially take complete control of hosting […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,2035,648],"tags":[130],"class_list":["post-8449","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-rce-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8449"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8449"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8449\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}