Millions of Linux‑Hosted Sites in the Crosshairs: A Remote Code Execution Flaw in ImunifyAV

In a startling reminder that even the most ubiquitous security tools can become the very vector attackers use, a remote code execution (RCE) flaw has been discovered in the ImunifyAV malware scanner. The vulnerability, affecting all versions of the AI‑bolit component prior to 32.7.4.0, could allow a malicious actor to run arbitrary PHP code on any Linux server that employs the scanner. With 56 million websites reportedly running ImunifyAV, the potential impact is staggering.

How the Flaw Works

ImunifyAV’s AI‑bolit module is designed to deobfuscate and unpack malware hidden in PHP files. The deobfuscation routine uses PHP’s call_user_func_array to invoke functions identified in the obfuscated payload. Unfortunately, the scanner does not validate the function names it receives. When an attacker crafts a file that contains malicious function names—such as system, exec, shell_exec, or eval—the scanner will happily execute them.

Patchstack notes: "The vulnerability requires Imunify360 AV to perform active deobfuscation during the analysis step, which is disabled in the default configuration of the standalone AI‑Bolit CLI. However, the Imunify360 integration of the scanner component is forcing an 'always on' state for background scans, on‑demand scans, user‑initiated scans, and rapid scans, which meets the exploitation requirement."

The proof‑of‑concept (PoC) supplied by researchers simply writes a PHP file to the /tmp directory. When the antivirus scans the file, the deobfuscation logic triggers the attacker‑controlled function, resulting in a full RCE.

<?php
// PoC payload – not for production use
file_put_contents('/tmp/evil.php', '<?php system("id"); ?>');
?>

Once the scanner processes evil.php, the system("id") call runs with the privileges of the ImunifyAV process. In shared‑hosting environments where the scanner often runs as root or a privileged user, this can lead to a complete server takeover.

The Response

CloudLinux, the vendor behind ImunifyAV, released a patch on November 10 that backported a whitelisting mechanism to the scanner. The fix ensures that only a predefined set of safe, deterministic functions can be executed during deobfuscation, effectively blocking arbitrary function calls.

CloudLinux advisory: "We recommend updating to version 32.7.4.0 or newer as soon as possible to mitigate this critical vulnerability."

Despite the urgency, the flaw has yet to receive a CVE identifier, and no official detection or incident‑response guidance has been issued. As a result, many system administrators remain unaware of the risk until the next patch cycle.

Why It Matters

ImunifyAV is not a consumer‑facing product. It sits beneath the hosting stack, silently scanning files on behalf of web‑hosting providers, managed WordPress hosts, cPanel/WHM, and Plesk servers. Because of its low visibility, a flaw in the scanner can go undetected for weeks, giving attackers ample time to pivot from a compromised web application to the underlying operating system.

The stakes are high: a single RCE can lead to data exfiltration, defacement, credential theft, or the installation of backdoors that persist even after the initial infection is cleaned. In the worst case, attackers can leverage the compromised host to launch attacks against other tenants in a shared‑hosting environment, creating a cascading effect.

What You Should Do

1. Check your version – If you’re running Imunify360, ImunifyAV+, or the free ImunifyAV, verify that you are on 32.7.4.0 or later.
2. Apply the patch immediately – Download the latest update from CloudLinux and deploy it across your infrastructure.
3. Audit your logs – Look for anomalous PHP file creation in /tmp or unexpected system/exec calls. While no detection guidance exists, any evidence of unexpected execution warrants a deeper investigation.
4. Plan for a hardening exercise – Consider running ImunifyAV in a sandboxed environment or restricting its file‑system access to mitigate the impact of any future flaws.

A Call for Transparency

The absence of a CVE ID and the lack of a formal incident‑response guide highlight a broader issue in the security ecosystem: critical vulnerabilities in widely deployed tools can slip through the cracks if they lack visibility. CloudLinux’s quick patch is commendable, but the industry must demand clearer communication and faster tracking mechanisms to ensure that administrators can act before attackers do.

For now, the best defense is swift action. Update, audit, and stay vigilant. The next time an attacker tries to piggyback on a trusted security scanner, you’ll be ready to stop them.

Source: BleepingComputer