The ImunifyAV malware scanner for Linux servers, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment.
The issue affects versions of the AI-bolit malware scanning component prior to 32.7.4.0. The component is present in the Imunify360 suite, the paid ImunifyAV+, and in ImunifyAV, the free version of the malware scanner.
According to security firm Patchstack, the vulnerability has been known since late October, when ImunifyAV's vendor, CloudLinux, released fixes. Currently, the flaw has not been assigned an identifier.
On November 10, the vendor backported the fix to older Imunify360 AV versions. In an advisory yesterday, CloudLinux warned customers about "a critical security vulnerability" and recommended to "update the software as soon as possible" to version 32.7.4.0
ImunifyAV is part of the Imunify360 security suite, mostly used by web-hosting providers or generic Linux shared hosting environments.
The product is typically installed at the hosting platform level, not by end-users directly. It is extremely common on shared hosting plans, managed WordPress hosting, cPanel/WHM servers, and Plesk servers.
Website owners rarely interact with it directly, but it is still a ubiquitous tool running silently behind 56 million websites, according to Imunify data from October 2024, which also claims more than 645,000 Imunify360 installations.
The root cause of the flaw is AI-bolit's deobfuscation logic, which executes attacker-controlled function names and data extracted from obfuscated PHP files when trying to unpack malware for scanning it.
This occurs because the tool uses 'call_user_func_array' without validating the function names, allowing execution of dangerous PHP functions such as system, exec, shell_exec, passthru, eval, and more.
Patchstack notes that exploiting the vulnerability requires Imunify360 AV to perform active deobfuscation during the analysis step, which is disabled in the default configuration of the standalone AI-Bolit CLI.
... continue reading