Cybersecurity firm Patchstack has disclosed a critical remote code execution vulnerability in Imunify360 AV, a malware scanner widely used by web hosting providers. Patchstack says platforms running Imunify360 AV protect up to 56 million websites globally. The flaw affects both the product's AI-Bolit file scanning engine and its database scanning module. A patch is available, but no public vendor statement or CVE identifier has been published yet. Patchstack has shared details in its advisory.
Key Details
Imunify360 AV, also known as AI-Bolit, is a malware scanner produced by CloudLinux and deployed on many shared hosting servers. Patchstack states that the affected component is installed by default as a service and typically runs with root privileges.
- Patchstack rates the issue with a CVSS score of 9.9.
- Remote attackers can embed specially crafted, obfuscated PHP that matches Imunify360 AV deobfuscation signatures.
- The deobfuscator executes extracted functions on attacker-controlled data, enabling arbitrary system commands or PHP code execution.
- Impact ranges from compromise of a single website to full server takeover, depending on how the scanner is deployed and which privileges it has.
- Both the file scanner and the database scanner pass attacker-supplied code into internal Imunify360 routines, which then execute that untrusted content.
- Patchstack notes that detection is difficult because malicious payloads are heavily obfuscated and specifically designed for the tool to decode.
Patchstack describes two primary exploitation paths:
- File scanner path: Requires an attacker to place a malicious file in a location that Imunify360 AV scans.
- Database scanner path: Requires only the ability to write data to the website database, including through unauthenticated input fields.
According to Patchstack, comment forms, contact forms, profile fields, and search logs can all provide database write access. The company classifies the issue as remote code execution that can escalate from a single website compromise to a full server-level breach.
Background Context
Patchstack states that Imunify360 AV is used by multiple hosting companies and that these deployments protect over 56 million websites. Researchers initially identified the flaw in the file scanning component and later confirmed that the database scanner was vulnerable in the same way.
The scanner typically runs with elevated privileges on shared hosting servers. In its advisory, Patchstack notes that successful exploitation can lead to privilege escalation and potential root-level access, depending on how the product is configured.
Patchstack reports that the vulnerability has been known since late October 2025 and that customers began receiving vendor notifications shortly after. Information about the issue has been publicly available on Imunify360 Zendesk since 4 November 2025.
The advisory states that Imunify360 AV versions prior to 32.7.4.0 are affected and that vendor updates address the vulnerability. Patchstack also notes that no Common Vulnerabilities and Exposures identifier has been assigned for the flaw at this time.
Patchstack recommends that servers running Imunify360 AV earlier than version 32.7.4.0 apply the vendor security update as soon as possible. If patching is not feasible, the company advises removing the tool or restricting its execution environment to minimal privileges. Its guidance also includes contacting CloudLinux or Imunify360 support about potential exposure and post-incident response.
Source Citations
Information in this report is drawn from the public advisory issued by Patchstack:
.svg)
.svg)
.svg)