Remote Code Execution Vulnerability in ImunifyAV/AI-bolit
Summary
Hide ▲
Show ▼
A remote code execution (RCE) flaw in the AI-bolit malware scanning component of ImunifyAV and Imunify360, used by millions of Linux-hosted websites, could allow attackers to compromise hosting environments. The vulnerability stems from improper validation of function names during deobfuscation of PHP files. The flaw affects versions prior to 32.7.4.0 and has been patched, but no CVE identifier has been assigned. The vulnerability is particularly concerning due to the widespread use of ImunifyAV in shared hosting environments, potentially enabling full server takeovers if the scanner runs with elevated privileges.
Timeline
-
13.11.2025 21:04 1 articles · 23h ago
RCE flaw in ImunifyAV/AI-bolit disclosed and patched
A remote code execution (RCE) flaw in the AI-bolit malware scanning component of ImunifyAV and Imunify360, used by millions of Linux-hosted websites, was disclosed and patched. The vulnerability stems from improper validation of function names during deobfuscation of PHP files. The flaw affects versions prior to 32.7.4.0 and has been patched, but no CVE identifier has been assigned. The vulnerability is particularly concerning due to the widespread use of ImunifyAV in shared hosting environments, potentially enabling full server takeovers if the scanner runs with elevated privileges.
Show sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04
Information Snippets
-
The vulnerability affects AI-bolit versions prior to 32.7.4.0, part of ImunifyAV, ImunifyAV+, and Imunify360.
First reported: 13.11.2025 21:041 source, 1 articleShow sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04
-
The flaw arises from the use of 'call_user_func_array' without validating function names, allowing execution of dangerous PHP functions.
First reported: 13.11.2025 21:041 source, 1 articleShow sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04
-
Exploitation requires active deobfuscation during analysis, which is enabled by default in Imunify360 but not in standalone AI-Bolit CLI.
First reported: 13.11.2025 21:041 source, 1 articleShow sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04
-
A proof of concept (PoC) exploit has been developed that triggers RCE by creating a PHP file in the tmp directory.
First reported: 13.11.2025 21:041 source, 1 articleShow sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04
-
The patch adds a whitelisting mechanism to block arbitrary function execution during deobfuscation.
First reported: 13.11.2025 21:041 source, 1 articleShow sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04
-
There is no official guidance on detecting compromise or confirmation of active exploitation in the wild.
First reported: 13.11.2025 21:041 source, 1 articleShow sources
- RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk — www.bleepingcomputer.com — 13.11.2025 21:04