Critical Imunify360 Flaw Puts 56 Million Websites at Risk

A serious vulnerability has been discovered in Imunify360 (and ImunifyAV) that could put millions of websites at risk, according to security firm Patchstack. The flaw allows attackers to upload malicious files to shared servers and execute arbitrary PHP code, potentially giving full control over the server.

The issue affects Imunify360 AV (AI-Bolit) versions prior to v32.7.4.0. The problem lies in its “deobfuscation logic,” which processes attacker-supplied malware in a way that can trigger dangerous PHP functions — including system(), exec(), shell_exec(), passthru(), and eval() — allowing remote code execution.

Imunify360 is a security platform by CloudLinux, designed to protect shared, VPS, and dedicated servers. It’s widely used and currently protects an estimated 56 million websites. Because the malware scanner often runs with root or elevated permissions, successful exploitation could lead to full takeover of the hosting environment, especially on shared servers.

To exploit the flaw, attackers craft obfuscated PHP payloads that mimic Imunify360’s internal patterns. When scanned with the -y / --deobfuscate option enabled, these payloads are deobfuscated and then executed — allowing them to run system commands or arbitrary PHP code.

Detection of malicious payloads is especially difficult because attackers use layered and complex obfuscation: things like hex-encoded strings, base64/gzinflate chains, and custom transformations. That makes the attack stealthy and hard to spot.

Adding to the concern, CloudLinux has not yet issued a formal security advisory for this flaw, and no CVE identifier has been assigned. However, the issue was publicly disclosed on CloudLinux’s Zendesk support portal on November 4, 2025.

CloudLinux has released a patch: the vulnerability was fixed on October 21, 2025, and users are advised to update to version 32.7.4.0 or later. Patchstack has also published a proof-of-concept (PoC) exploit and recommends hosting providers thoroughly check their servers for signs of malicious activity or compromise.

It’s still unclear whether the flaw has been actively exploited “in the wild.” But given the scale of the impact — potentially affecting tens of millions of websites — this is a very serious risk for web hosting environments that use Imunify360 or Imunify AV