A remote code execution vulnerability in Imunify360 AV is putting hosting servers that protect up to 56 million websites at risk. Cybersecurity firm Patchstack disclosed the issue publicly in November 2025 after notifying the vendor in late October.
The affected Imunify360 AV malware scanner runs on hosting platforms worldwide and is used to protect websites by scanning for malicious code.
Key Details
Imunify360 AV is a malware scanning tool used by multiple web hosting companies to check website-related files such as PHP, JavaScript, and HTML. The newly disclosed vulnerability allows remote code execution on servers running vulnerable versions of the software. Patchstack states that hosting providers rely on Imunify360 AV to protect over 56 million websites.
- The flaw resides in the AI-Bolit file scanner and the separate database scanning script
imunify_dbscan.php. - Remote attackers can embed specially crafted, obfuscated PHP that matches Imunify360 AV deobfuscation signatures.
- The deobfuscator executes extracted functions on attacker-controlled data, enabling arbitrary system commands or arbitrary PHP code.
- Patchstack reports that the potential impact ranges from individual website compromise to complete server takeover, depending on configuration and privileges.
According to Patchstack, Imunify360 AV typically installs as a service and often runs with root privileges by default. On shared hosting platforms, successful exploitation can lead to privilege escalation and full root access.
Patchstack states that Imunify360 AV has released a patch and recommends updating to at least version 32.7.4.0. If updating is not possible, the advisory suggests removing the scanner or running it only in an isolated container. Administrators are advised to contact CloudLinux or Imunify360 support for exposure assessment and investigation guidance.
Patchstack has shared details on the vulnerability, assigning it a CVSS score of 9.9. No CVE identifier has been assigned yet, and Patchstack notes that Imunify360 has not issued a public statement so far.
Background Context
Patchstack researchers first identified the problem in the AI-Bolit file scanner component, then confirmed that the database scanner imunify_dbscan.php is vulnerable in the same way. In both cases, attacker-supplied payloads are passed into internal routines that then execute the deobfuscated code.
For the file-scanning path, attackers must place a malicious file where Imunify360 AV will eventually scan it. For the database-scanning path, Patchstack states that attackers only need the ability to write data into the database. Common sources of user-supplied database content include comment forms, contact forms, profile fields, and search logs.
Patchstack explains that detection is difficult because payloads are heavily obfuscated. Techniques include hex escapes, packed payloads, base64 combined with gzinflate, and custom delta or ord transformations. The payloads are constructed so that Imunify360 AV performs the deobfuscation itself during scanning.
Patchstack reports that it informed the vendor about the issue in late October 2025. Customers began receiving notifications from Imunify360 shortly afterward. According to Patchstack, the issue has been publicly documented on Imunify360's Zendesk portal since 4 November 2025.
Source Citations
The information in this report is based on Patchstack's published advisory and statements. Patchstack is a cybersecurity company that researches and discloses web-related vulnerabilities.
Patchstack advisory: Remote code execution vulnerability found in Imunify360
.svg)
.svg)
.svg)