Critical Imunify360 AV Vulnerability Threatens Millions of Linux-Hosted Websites
A significant security flaw has been identified in Imunify360 AV, a widely utilized malware scanner safeguarding over 56 million websites. This vulnerability, recently addressed by CloudLinux, enables attackers to execute arbitrary commands, potentially leading to full control over hosting servers.
Understanding the Vulnerability
The core of this issue lies in Imunify360 AV’s deobfuscation logic, which is designed to analyze malicious PHP code. Researchers at Patchstack discovered that attackers can craft specially encoded PHP files that deceive the scanner into executing harmful functions such as `system()`, `exec()`, or `eval()` during its analysis process. Given that the scanner typically operates with root privileges, successful exploitation could result in a complete server takeover.
Scope of the Threat
Imunify360 AV’s deobfuscation feature is automatically enabled by default across all scan types, including background scans, on-demand scans, and rapid account scans. This default setting means that vulnerable systems are continuously at risk whenever the scanner is active. In shared hosting environments, the danger is particularly acute. An attacker who compromises a single website could escalate their privileges to gain root access, thereby compromising every website and customer hosted on the same server. This potential for lateral movement makes the vulnerability especially severe for hosting providers serving multiple clients.
Patch and Response
CloudLinux released a patch on October 21, 2025, addressing this critical issue. However, the company has not issued a formal CVE assignment or security advisory regarding this vulnerability. Information about the flaw appeared on their Zendesk support page on November 4, 2025, even though details about potential exploitation had been circulating since late October.
Recommendations for Hosting Providers
Hosting companies are strongly advised to upgrade to Imunify360 AV version 32.7.4.0 or later without delay. Additionally, it’s crucial to conduct thorough forensic checks to identify any signs of exploitation within their infrastructure. Given the severity of this vulnerability, prompt action is essential to safeguard hosted websites and maintain the integrity of hosting environments.
