Critical Vulnerability in Imunify’s AI-Bolit Component Allows Root-Level Code Execution
A significant security vulnerability has been identified in the AI-Bolit component of Imunify’s security products, potentially allowing attackers to execute arbitrary code with root privileges on affected servers. Imunify released a patch on October 23, 2025, addressing this issue, and most servers have since been automatically updated. As of now, there are no reports of this vulnerability being exploited in the wild.
Understanding the Vulnerability
The flaw resides in the deobfuscation process of the AI-Bolit scanner. By crafting specific files or database entries, an attacker could trigger the scanner to execute malicious PHP functions during its scan, leading to arbitrary code execution with root-level access. This vulnerability arises from the scanner’s handling of unfiltered input from files and databases.
Technical Details
The core issue lies within two PHP functions in AI-Bolit’s code: `deobfuscateDeltaOrd` and `deobfuscateEvalHexFunc`. These functions passed potentially unsafe strings to `Helpers::executeWrapper()`, which then executed them as PHP functions. This process allowed malicious input to be executed, escalating an attacker’s privileges to root.
Mitigation Measures
The recent patch introduces strict controls to ensure that only safe functions are executed by the deobfuscator. Imunify has confirmed that there is no evidence of this vulnerability being exploited in real-world scenarios. Their security protocol involves silently fixing issues, deploying updates to users, and publishing advisories once it is safe to do so.
Recommendations for Users
Users of Imunify products are strongly advised to update the AI-Bolit component immediately to protect against potential attacks that could exploit this vulnerability. Maintaining automatic updates is crucial for ensuring the highest level of security.
