Critical Imunify360 AI-Bolit Bug Fixed in Latest Patch

Editor’s Note: This article has been updated to reflect new information released by the vendor.

A critical vulnerability in the AI-Bolit component of Imunify360, ImunifyAV+, and ImunifyAV was recently disclosed and patched by the vendor, with the fix automatically deployed to the vast majority of servers. 

The flaw, present in versions prior to 32.7.4-1, enabled the possibility of remote code execution (RCE) during malware scanning due to unsafe deobfuscation logic. 

According to the vendor’s advisory, there is no evidence of active exploitation, and no customer reports of suspicious activity.

How Attackers Leverage Imunify360 to Run System Commands

Prior to patching, the vulnerability potentially allowed attackers to craft malicious payloads that could trigger unintended code execution within AI-Bolit’s scanning process. 

Because the scanner analyzes user-supplied files and database content — including obfuscated PHP, JavaScript, and HTML — an attacker could embed strings that matched internal deobfuscation patterns. 

These strings were processed in contexts where the scanner might run with elevated privileges, creating the potential for arbitrary PHP function calls.

In environments where the scanner operated with root-level access, this could theoretically escalate into full system takeover. 

While such exploitation has not been observed in the wild, the vulnerability highlights the unique risks associated with scanning engines that both handle untrusted input and operate in privileged contexts.

Root Cause: Unsafe Deobfuscation Logic

The vulnerability originated within AI-Bolit’s deobfuscation routines, specifically in functions such as deobfuscateDeltaOrd and deobfuscateEvalHexFunc. 

These functions extracted data from scanned files and passed it directly into Helpers::executeWrapper(), a wrapper around call_user_func_array(). 

Because the extracted strings were not validated or restricted to safe functions, attackers could embed malicious function names that were later executed during scanning.

Both the file-scanning and database-scanning paths were impacted. The Oct. 23, 2025 patch resolved the issue by implementing a strict allowlist of allowed functions, preventing untrusted values from ever reaching execution.

Stealthy Payloads Make Detection Challenging

Because AI-Bolit is designed to handle heavily obfuscated content, detecting malicious use of this flaw could have been challenging. 

Attackers could leverage techniques such as hex encoding, delta/ord transformations, nested base64 chains, or compressed payloads — formats the scanner purposely attempts to decode. 

These complex encodings allow malicious function strings to remain hidden until the vulnerable deobfuscation logic processes them.

Although no exploitation has been reported, the nature of the flaw underscores how difficult forensic identification would be without strong monitoring and auditing controls around security tools.

How to Secure Your Environment Against Imunify360 RCE

In light of the recent Imunify360 AV vulnerability, organizations should take immediate steps to secure their hosting environments and reduce the risk of exploitation. 

• Immediately apply Imunify360 AV updates (v32.7.4.0 or later) and verify server integrity, especially for systems that processed untrusted files since late October 2024.
• Run the AI-Bolit scanner in a tightly isolated environment (container/VM) with minimal privileges, no network access, and restricted filesystem visibility.
• Reduce privilege exposure by enforcing strict user separation and mandatory access (MAC) controls to prevent the scanner or compromised processes from executing unauthorized commands or modifying critical system areas.
• Harden execution paths and temporary directories by disabling deep deobfuscation where possible and mounting /tmp and similar dirs with noexec/nosuid/nodev.
• Monitor for abnormal scanner behavior and perform retrospective threat hunting, including scanning for unexpected processes, suspicious artifacts in temp directories, altered PHP files, or persistence mechanisms.
• Review and tighten privilege boundaries between website users, hosting environments, and scanning services, applying network segmentation to prevent lateral movement or elevation from shared hosting environments.
• Implement stronger detection/telemetry controls, including file integrity monitoring (FIM), WAF telemetry review, and enhanced auditing of scan logs and executed commands.

By implementing these mitigations, organizations can reduce the attack surface created by this Imunify360 vulnerability and strengthen overall resilience.

This vulnerability demonstrates the dangers of executing untrusted content during malware analysis, especially within high-privilege services. 

The widespread use of Imunify360 across shared hosting environments amplifies the risk, making prompt patching and containment essential.  

Such vulnerabilities underscore the necessity of zero-trust principles that emphasize verification and control.