ImunifyAV / AI-bolit remote code execution flaw
Vulnerability
Summary
Hide ▲
Show ▼
A remote code execution flaw in ImunifyAV / AI-bolit puts Linux hosting environments at risk because attacker-controlled PHP function names can execute during deobfuscation. The issue affects versions prior to 32.7.4.0 across Imunify360, ImunifyAV+, and ImunifyAV. A proof-of-concept shows the scanner can trigger code execution when it processes a crafted PHP file, though no active exploitation has been confirmed. CloudLinux fixed the bug and urged administrators to upgrade to 32.7.4.0 or newer.
Related Happenings
Linux kernel XFRM ESP-in-TCP local privilege escalation (CVE-2026-46300)
Vulnerability
First: 14.05.2026 10:06
Last: 14.05.2026 10:06
Sources 1
About this happening:
**Fragnesia** adds a fresh **Linux kernel** local privilege-escalation path, putting **unprivileged local attackers** on a route to **root access** across major distributions. The...
Linux kernel XFRM ESP-in-TCP local privilege escalation (CVE-2026-46300)
VulnerabilityAbout this happening: **Fragnesia** adds a fresh **Linux kernel** local privilege-escalation path, putting **unprivileged local attackers** on a route to **root access** across major distributions. The...
Latest development: 14.05.2026 16:00
Cloud security firm Wiz identified Fragnesia (CVE-2026-46300) in the Dirty Frag family, a Linux local privilege escalation that lets unprivileged local users gain root by corrupting the kernel page cache of read-only files. William Bowling of Zellic and the V12 team were credited with the discovery, and a working proof-of-concept exploit was published on May 13, 2026.
Linux kernel Copy Fail local privilege escalation (CVE-2026-31431)
Vulnerability
First: 30.04.2026 12:24
Last: 30.04.2026 12:24
Sources 1
About this happening:
Researchers disclosed **CVE-2026-31431**, a **Linux kernel** local privilege-escalation flaw called **Copy Fail** that can let an **unprivileged local user** gain **root**. The bu...
Linux kernel Copy Fail local privilege escalation (CVE-2026-31431)
VulnerabilityAbout this happening: Researchers disclosed **CVE-2026-31431**, a **Linux kernel** local privilege-escalation flaw called **Copy Fail** that can let an **unprivileged local user** gain **root**. The bu...
Latest development: 08.05.2026 08:12
Dirty Frag was described as an unpatched Linux kernel LPE that can give an unprivileged local user root on most Linux distributions by chaining xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write, while the related Copy Fail issue was reported to Linux kernel maintainers on April 30, 2026 and has come under active exploitation in the wild. CloudLinx said the flaw sits in the ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path reachable via the XFRM user netlink interface, and the researcher said Dirty Frag can be triggered regardless of whether the algif_aead module is available; a working PoC was also released.
Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw
Vulnerability
First: 13.03.2026 10:18
Last: 13.03.2026 10:18
Sources 1
About this happening:
Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...
Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw
VulnerabilityAbout this happening: Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...
Grist-Core Cellbreak sandbox escape (CVE-2026-24002)
Vulnerability
First: 27.01.2026 12:36
Last: 27.01.2026 12:36
Sources 1
About this happening:
A **critical** **Grist-Core** vulnerability, **CVE-2026-24002** (**Cellbreak**), can let **malicious spreadsheet formulas** trigger **remote code execution** on self-hosted instan...
Grist-Core Cellbreak sandbox escape (CVE-2026-24002)
VulnerabilityAbout this happening: A **critical** **Grist-Core** vulnerability, **CVE-2026-24002** (**Cellbreak**), can let **malicious spreadsheet formulas** trigger **remote code execution** on self-hosted instan...
Timeline
-
13.11.2025 21:04 1 articles · 6mo ago
CloudLinux backports AI-bolit fix to older Imunify360 AV versions
Mitigation Patch UpdateCloudLinux backported the fix to older Imunify360 AV versions on November 10, 2025 after addressing the AI-bolit remote code execution flaw in versions prior to 32.7.4.0. The remediation adds a whitelisting mechanism so only safe, deterministic functions can run during deobfuscation, blocking arbitrary PHP function execution in affected ImunifyAV and Imunify360 deployments.
Show sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04
-
13.11.2025 21:04 2 articles · 6mo ago
CloudLinux warns ImunifyAV customers to upgrade to 32.7.4.0
Initial DisclosureCloudLinux warned customers about a critical security vulnerability in AI-bolit used by ImunifyAV and Imunify360 on Linux hosting, and told administrators to upgrade to version 32.7.4.0 or newer. The public warning highlighted that exploiting the flaw requires active deobfuscation during scanning, that a proof of concept can trigger remote code execution from a crafted PHP file, and that no active exploitation in the wild or official compromise-check guidance had been confirmed.
Show sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04