Imunify360 Zero-Day Leaves Millions of Websites Open to RCE

A recently patched Remote Code Execution (RCE) vulnerability in Imunify360 AV poses severe security risks for hosting providers and the millions of websites they support. 

Imunify360 contained a flaw in its deobfuscation engine that allowed attacker-supplied code to be executed during malware scanning. 

Despite the seriousness of the issue, no CVE has been assigned, and the vendor, CloudLinux, has not released a formal advisory. 

The only public acknowledgment appears in a brief Zendesk post.

How Attackers Leverage Imunify360 to Run System Commands

The vulnerability affects Imunify360 AV (AI-Bolit) versions prior to v32.7.4.0 and stems from unsafe deobfuscation logic within the scanner. 

AI-Bolit attempts to analyze obfuscated PHP, JavaScript, and HTML files by applying function-recovery heuristics. 

However, the engine inadvertently executes certain function names and payloads extracted from attacker-supplied files. 

Because Imunify360 AV often operates with root-level privileges, this behavior allows remote attackers to achieve arbitrary command execution on the underlying host.

The flaw enables malicious actors to embed crafted, obfuscated PHP code that matches Imunify360’s internal deobfuscation signatures. 

Once processed, the scanner may invoke PHP functions — including system(), exec(), shell_exec(), passthru(), and eval() — leading to full compromise of the target environment. 

This exposure can escalate from the compromise of a single website to total server takeover, especially in shared hosting environments where the scanner holds elevated permissions.

Root Cause: Unsafe Deobfuscation Logic

Two primary code paths were identified as contributing to this vulnerability: the eval-hex function pattern and the Delta/Ord deobfuscation flow. 

Both mechanisms rely on Helpers::executeWrapper, which invokes PHP functions recovered during deobfuscation without validating whether those functions are safe to execute. 

This lack of function-level filtering allows attacker-controlled function names to flow into system-level execution.

Although the Imunify360 PHP CLI tool appears to disable deep deobfuscation by default, the Python-based scanner wrapper — responsible for background, rapid, on-demand, and user-initiated scans — always enables the –deobfuscate flag. 

This design choice ensures the vulnerable code path is active in all operational scan modes, increasing exploitability.

Stealthy Payloads Make Detection Challenging

Detecting malicious payloads exploiting this vulnerability is difficult due to their heavy obfuscation. 

Techniques observed include packed binary payloads, base64/gzinflate chains, hex escapes, and custom delta/ord transformations. 

These techniques are intentionally crafted to remain undetectable until processed by the vulnerable deobfuscation logic. 

As a result, compromised servers may show little or no evidence until after execution has occurred.

Lack of Vendor Disclosure Raises Concerns

CloudLinux has not issued a formal security advisory, coordinated disclosure, or CVE assignment as of the time of writing. 

This marks the second significant RCE issue linked to Imunify360, following a similar disclosure by Talos Intelligence in 2021.

Based on independent analysis by PatchStack researchers, the estimated CVSS score for this vulnerability is 8.2, placing it in the “High” severity category.

How to Secure Your Environment Against Imunify360 RCE

In light of the recent Imunify360 AV vulnerability, organizations should take immediate steps to secure their hosting environments and reduce the risk of exploitation. 

• Immediately apply Imunify360 AV updates (v32.7.4.0 or later) and verify server integrity, especially for systems that processed untrusted files since late October 2024.
• Run the AI-Bolit scanner in a tightly isolated environment (container/VM) with minimal privileges, no network access, and restricted filesystem visibility.
• Reduce privilege exposure by enforcing strict user separation and mandatory access (MAC) controls to prevent the scanner or compromised processes from executing unauthorized commands or modifying critical system areas.
• Harden execution paths and temporary directories by disabling deep deobfuscation where possible and mounting /tmp and similar dirs with noexec/nosuid/nodev.
• Monitor for abnormal scanner behavior and perform retrospective threat hunting, including scanning for unexpected processes, suspicious artifacts in temp directories, altered PHP files, or persistence mechanisms.
• Review and tighten privilege boundaries between website users, hosting environments, and scanning services, applying network segmentation to prevent lateral movement or elevation from shared hosting environments.
• Implement stronger detection/telemetry controls, including file integrity monitoring (FIM), WAF telemetry review, and enhanced auditing of scan logs and executed commands.

By implementing these mitigations, organizations can reduce the attack surface created by this Imunify360 vulnerability and strengthen overall resilience.

This vulnerability demonstrates the dangers of executing untrusted content during malware analysis, especially within high-privilege services. 

The widespread use of Imunify360 across shared hosting environments amplifies the risk, making prompt patching and containment essential.  

Such vulnerabilities underscore the necessity of zero-trust principles that emphasize verification and control.