A newly disclosed flaw in Imunify360βs malware scanner can let attackers run their own code on hosting servers. Anyone managing a site or a shared server should update immediately to prevent a full compromise.
A critical security weakness in Imunify360 AV, a tool widely used across shared and managed hosting platforms, has been found to give attackers a pathway to run their own code on a server.Β
The issue affects both the file-scanning engine and the database-scanning module, which means attackers have more than one way to trigger the flaw.Β
Patchstack, the security firm that analyzed and publicly documented the vulnerability, warns that the impact can escalate from a single compromised website to a full server takeover, depending on how much access the scanner has.Β
The tool is used across hosting environments that collectively support up to 56 million sites, making the discovery both serious and far-reaching.
How an Anti-Malware Tool Became a Vulnerability
Imunify360βs AI-Bolit engine is designed to inspect encoded or obfuscated PHP. This helps hosting providers detect real infections that hide behind layers of encoding.Β
The problem is that this same decoding logic can also process malicious payloads crafted to match the scannerβs internal signatures.Β
Once decoded, the scanner can end up running attacker-controlled functions with whatever system privileges it has.
Patchstack explained that this behavior stems directly from how the tool works. The scannerβs job is to unpack complex code, and this unpacking mechanism becomes the attackerβs doorway. If the scanner operates with elevated rights, the decoded payload inherits those rights as well.
Two Vulnerable Paths: Files and Databases
Initially, researchers found the flaw in the file-scanning routine. If an attacker manages to place a harmful file in a location the scanner eventually checks, the scanner can decode and execute it. This alone is concerning.
The second path, however, is easier to exploit. The database-scanning module was found to be vulnerable in exactly the same way. Any feature that writes user input to the database becomes a potential trigger. Comment boxes, contact forms, profile fields, and search logs all routinely accept input and store it in the database, often without user accounts or authentication. This means an attacker can plant malicious content through ordinary site interactions and rely on the scanner to process it later.
Because so many shared hosting platforms allow frequent database writes from public-facing features, the database vector expands the risk significantly.
Why Shared Hosting Faces the Greatest Threat
On shared hosting servers, dozens or hundreds of websites depend on the same Imunify360 installation. If the tool runs with high privileges, a single carefully crafted payload can give an attacker access to the entire server. Patchstack notes that this kind of privilege escalation is possible when the scanner or its wrapper runs with elevated rights.
This explains why the vulnerability carries such high severity. An attacker does not just compromise one site. They can potentially take over every site hosted on the same server.
What Patchstack Revealed About Disclosure
Patchstack reports that while a patch has been issued, CloudLinux has not released a public statement about the vulnerability, nor has a CVE been assigned.Β
The issue has been known internally since late October and appeared on the vendorβs Zendesk by early November, yet no formal bulletin has accompanied it.
Patchstack encourages hosting providers to reach out to CloudLinux directly for clarity on whether any exploitation attempts have been observed and to request guidance on handling suspected exposure. Their review places the flaw at a near-maximum severity score of 9.9.
What Website Owners Should Ask Their Hosts
If your site runs on shared hosting, your provider controls the server software and security tools. This means you should contact them and ask whether they have applied the latest Imunify360 AV update.Β
Most responsible hosts will already have patched their systems, but the lack of a formal vendor announcement means it is important to verify.Β
If the host cannot confirm the update, request a timeline or consider temporarily moving critical workloads until the environment is secured.
What Administrators Should Do Right Now
Here are the steps administrators should focus on immediately to confirm their servers are protected and to close any remaining exposure from the vulnerability.
- Confirm the patch. Log in and check version numbers against the vendorβs advisory.
- Remove unnecessary privileges. Run the scanner with the least access needed so that unexpected code cannot break out into the system.
- Review database inputs. Harden your validation rules for form submissions and other data that flows into your database.
- Check recent logs. Look for unusual decoding activity or unexpected scanner behavior.
- Apply temporary limits. If you have to postpone the update for any reason, consider turning off the database-scanning module until the fix is safely deployed.
Key Takeaways
- The flaw allowed attackers to execute hostile code through both file and database scans.
- Shared hosting environments are particularly exposed because one breach can spread widely.
- CloudLinux released a fix quickly, but many servers still need verification.
- Administrators should limit scanner privileges and check for suspicious activity.
- Website owners should ask their hosting provider for confirmation that the patch is active.
Zulekha
AuthorZulekha is an emerging leader in the content marketing industry from India. She began her career in 2019 as a freelancer and, with over five years of experience, has made a significant impact in content writing. Recognized for her innovative approaches, deep knowledge of SEO, and exceptional storytelling skills, she continues to set new standards in the field. Her keen interest in news and current events, which started during an internship with The New Indian Express, further enriches her content. As an author and continuous learner, she has transformed numerous websites and digital marketing companies with customized content writing and marketing strategies.