RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk

The ImunifyAV malware scanner for Linux servers, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment.

The issue affects versions of the AI-bolit malware scanning component prior to 32.7.4.0. The component is present in the Imunify360 suite, the paid ImunifyAV+, and in ImunifyAV, the free version of the malware scanner. 

According to security firm Patchstack, the vulnerability has been known since late October, when ImunifyAV's vendor, CloudLinux, released fixes. Currently, the flaw has not been assigned an identifier.

On November 10, the vendor backported the fix to older Imunify360 AV versions. In an advisory yesterday, CloudLinux warned customers about "a critical security vulnerability" and recommended to "update the software as soon as possible" to version 32.7.4.0

ImunifyAV is part of the Imunify360 security suite, mostly used by web-hosting providers or generic Linux shared hosting environments.

The product is typically installed at the hosting platform level, not by end-users directly. It is extremely common on shared hosting plans, managed WordPress hosting, cPanel/WHM servers, and Plesk servers.

Website owners rarely interact with it directly, but it is still a ubiquitous tool running silently behind 56 million websites, according to Imunify data from October 2024, which also claims more than 645,000 Imunify360 installations.

The root cause of the flaw is AI-bolit's deobfuscation logic, which executes attacker-controlled function names and data extracted from obfuscated PHP files when trying to unpack malware for scanning it.

This occurs because the tool uses 'call_user_func_array' without validating the function names, allowing execution of dangerous PHP functions such as system, exec, shell_exec, passthru, eval, and more.

Patchstack notes that exploiting the vulnerability requires Imunify360 AV to perform active deobfuscation during the analysis step, which is disabled in the default configuration of the standalone AI-Bolit CLI.

However, the Imunify360 integration of the scanner component is forcing an 'always on' state for background scans, on-demand scans, user-initiated scans, and rapid scans, which meets the exploitation requirement.

The researchers shared a proof of concept (PoC) exploit that creates a PHP file in the tmp directory, which will trigger remote code execution when scanned by the antivirus.

This could enable full website compromise, and if the scanner runs with elevated privileges in shared hosting setups, the implications could extend to full server takeover.

CloudLinux's fix adds a whitelisting mechanism that only allows safe, deterministic functions to execute during deobfuscation, which blocks arbitrary function execution.

Despite the lack of clear warnings from the vendor or a CVE-ID that would help raise the alarm and track the issue, system administrators should upgrade to version v32.7.4.0 or newer.

Currently, there are no official instructions on how to check for compromise, no detection guidance, and no confirmation of active exploitation in the wild.

BleepingComputer has contacted CloudLinux with a request for comment, but we have not received a response by publishing time.

Update 11/16 - Further examination by Patchstach researchers uncovered that the issue is more severe than initially anticipated due to the existence of an easier exploitation vector that does not require uploading malware. More details available on this update.

Update 11/17 - Immunify360 published a security advisory with recommended actions and temporary workaround.