A Critical Vulnerability in Imunify360 AV Puts Millions of Websites at Risk

A critical vulnerability was recently discovered in Imunify360 AV, a security scanner used by web hosting companies to protect over 56 million websites. An advisory by cybersecurity company Patchstack warns that the vulnerability can allow attackers to take full control of the server and every website on it.

What is Imunify360 AV?

Imunify360 AV is a malware scanning system used by multiple hosting companies. The vulnerability was discovered within its AI-Bolit file-scanning engine and within the separate database-scanning module. Because both the file and database scanners are affected, attackers can compromise the server through two paths, which can allow full server takeover and potentially put millions of websites at risk.

The Vulnerability Explained

Patchstack shared details of the potential impact: Remote attackers can embed specifically crafted obfuscated PHP that matches Imunify360AV (AI-bolit) deobfuscation signatures. The deobfuscator will execute extracted functions on attacker-controlled data, allowing execution of arbitrary system commands or arbitrary PHP code. Impact ranges from website compromise to full server takeover depending on hosting configuration and privileges. Detection is non-trivial because the malicious payloads are obfuscated and are intended to be deobfuscated by the tool itself.

How the Vulnerability Works

The scanner’s own design gives attackers both the method of entry and the mechanism for execution. The tool is built to deobfuscate complex payloads, and that capability becomes the reason the exploit works. Once the scanner decodes attacker-supplied functions, it can run them with the same privileges it already has. In environments where the scanner operates with elevated access, a single malicious payload can move from a website-level compromise to control of the entire hosting server.

Two Vulnerable Paths: File Scanner and Database Scanner

Security researchers initially discovered a flaw in the file scanner, but the database-scanning module was later found to be vulnerable in the same way. According to the announcement: “the database scanner (imunify_dbscan.php) was also vulnerable, and vulnerable in the exact same way.” Both of the malware scanning components (file and database scanners) pass malicious code into Imunify360’s internal routines that then execute the untrusted code, giving attackers two different ways to trigger the vulnerability.

Why the Vulnerability is Easy to Exploit

The file-scanner part of the vulnerability required attackers to place a harmful file onto the server in a location that Imunify360 would eventually scan. But the database-scanner part of the vulnerability needs only the ability to write to the database, which is common on shared hosting platforms. Because comment forms, contact forms, profile fields, and search logs can write data to the database, injecting malicious content becomes easy for an attacker, even without authentication.

Vendor Silence and Disclosure Timeline

According to Patchstack, a patch has been issued by Imunify360 AV but no public statement has been made about the vulnerability and no CVE has been issued for it. A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a specific vulnerability in software. It serves as a public record and provides a standardized way to catalog a vulnerability so that interested parties are made aware of the flaw, particularly for risk management.

Recommended Actions for Administrators

Patchstack recommends that server administrators immediately apply vendor security updates if running Imunify360 AV (AI-bolit) prior to version 32.7.4.0, or remove the tool if patching is not possible. If an immediate patch cannot be applied, the tool’s execution environment should be restricted, such as running it in an isolated container with minimal privileges. All administrators are also urged to contact CloudLinux / Imunify360 support to report potential exposure, confirm if their environment was affected, and to collaborate on post-incident guidance.

Conclusion

The vulnerability in Imunify360 AV is a critical issue that puts millions of websites at risk. The fact that the vulnerability can be exploited through two paths, file scanner and database scanner, makes it even more dangerous. It is essential for server administrators to take immediate action to patch the vulnerability or restrict the tool’s execution environment to prevent potential attacks. By doing so, they can protect their websites and prevent a full server takeover. It is also crucial for Imunify360 AV to release a public statement and assign a CVE to the vulnerability to inform users and potential users about the issue.