Full Report
A critical Remote Code Execution vulnerability has been patched in Imunify360 AV, a security product protecting approximately 56 million websites worldwide. Hosting companies must apply the patch immediately to prevent potential server compromises. The vulnerability details began circulating in late October 2024, prompting urgent recommendations for affected hosting providers to verify the integrity of their […] The post Critical Imunify360 Vulnerability Exposes Millions of Linux-Hosted Sites to RCE Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Critical RCE in Imunify360 AV Deobfuscation Logic
## CVE Details
- CVE ID: Not yet assigned (Per public advisory)
- CVSS Score: 8.2 (Estimated High)
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection')) is likely, based on resulting RCE from executed untrusted functions.
## Affected Systems
- Products: Imunify360 AV (AI-Bolit)
- Versions: Versions before **v32.7.4.0**
- Configurations: The flaw is critically relevant as the Python scanner wrapper automatically enables deep deobfuscation for all scan types, even if CLI defaults might disable it elsewhere. The scanner typically runs with **root privileges**.
## Vulnerability Description
A critical Remote Code Execution (RCE) vulnerability exists within the deobfuscation logic of Imunify360 AV when scanning malicious, obfuscated files (PHP, JavaScript, etc.). The deobfuscator incorrectly validates or sanitizes payload content, allowing specially crafted, obfuscated code to trigger the direct execution of dangerous functions such as `system()`, `exec()`, `shell_exec()`, `passthru()`, and `eval()`. This is caused by two problematic code flows: the `eval-hex` function pattern and the Delta/Ord flow processing strings via `Helpers::executeWrapper`, both bypassing safety checks. Since Imunify360 often runs as root, successful exploitation leads to a complete compromise of the hosting environment.
## Exploitation
- Status: Details circulated in late October 2024; vendor patched silently. Exploitation in the wild is not explicitly confirmed by the source, but the risk demands immediate action.
- Complexity: Medium (Requires knowledge of Imunify360 deobfuscation bypasses and obfuscation techniques like base64 chains and XOR transformations).
- Attack Vector: Network/Local (Via uploading malicious files that are subsequently scanned by the AV).
## Impact
- Confidentiality: High (Full server data access).
- Integrity: High (Arbitrary command execution allows modification/deletion of any file).
- Availability: High (Complete server takeover/disruption).
## Remediation
### Patches
- **Imunify360 AV v32.7.4.0** or later. (Hosting companies are urged to apply vendor-supplied security updates immediately.)
### Workarounds
- If immediate patching is impossible, administrators should **restrict the scanner's execution environment**. Run the scanner in isolated analysis containers with minimal privileges and **no network access**.
## Detection
- Indicators of Compromise (IoCs): Look for evidence of Imunify360 processing highly obfuscated files using advanced encoding chains (hex escapes, base64/gzinflate). System logs showing execution of sensitive PHP functions (`system`, `exec`, etc.) originating from the Imunify360 scanning service.
- Detection Methods and Tools: Monitor Imunify360 logs, especially related to deep scanning activities after the information became public (late October 2024).
## References
- Vendor Advisory: Quietly documented on the Zendesk support portal on November 4, 2025. (No direct public, formal advisory found).
- Relevant Links:
- gbhackers.com/critical-imunify360-vulnerability-exposes-millions-of-linux-hosted-sites-to-rce-attacks/ (Original source)
- patchstack.com/articles/remote-code-execution-vulnerability-found-in-imunify360/ (External acknowledgment)