Critical Imunify360 Vulnerability Exposes Millions of Linux-Hosted Sites to RCE Attacks

A critical Remote Code Execution vulnerability has been patched in Imunify360 AV, a security product protecting approximately 56 million websites worldwide.

Hosting companies must apply the patch immediately to prevent potential server compromises.

The vulnerability details began circulating in late October 2024, prompting urgent recommendations for affected hosting providers to verify the integrity of their servers.

Despite the severity, Imunify360’s team has not released an official statement, and no CVE identifier has been assigned.

The issue was quietly documented on their Zendesk support portal on November 4, 2025, with an estimated CVSS severity score of 8.2.

Vulnerability Overview

Security researchers discovered a remote code execution flaw in Imunify360 AV (AI-Bolit) versions before v32.7.4.0.

The vulnerability originates from the deobfuscation logic that executes untrusted functions and payloads extracted from attacker-supplied malware samples.

When processing malicious files, the deobfuscator can invoke dangerous PHP functions, including system(), exec ...