A newly uncovered security flaw inside Imunify360 AV has raised serious concerns among hosting providers, after researchers revealed that attackers can use the vulnerability to seize full control of a server. Patchstack, the firm that investigated the issue, said the flaw affects both the file scanner and the database scanner within the AI-Bolit engine, which protects more than 56 million websites. The discovery drew attention not only because it is severe but also because it shows how the scanner’s own design can work against the systems it is supposed to protect.
Patchstack described the issue plainly, noting that attackers can embed crafted PHP code that the scanner interprets as legitimate data. One researcher explained that “the deobfuscator will execute extracted functions on attacker controlled data,” which opens the door to remote command execution. Because the scanner often runs with elevated privileges, the impact can escalate quickly, and in certain hosting setups, it can lead to a full server takeover.
The situation grows more troubling because the same flaw impacts two different components of Imunify360 AV. Patchstack confirmed that the database scanner is vulnerable just like the file scanner. That second path lowers the barrier for attackers, since many shared hosting environments allow users or site visitors to write data to a database through comments, contact forms, or logs. A simple database entry can become a trigger point for malicious code that the scanner eventually processes.
Another point adding pressure is the lack of a public statement from the vendor. Patchstack said they learned about the vulnerability in late October and notified customers soon after. Despite that, the vendor has not assigned a CVE identifier or issued a formal advisory, even though they listed the issue on their Zendesk page earlier in November. Patchstack estimated the CVSS score at 9.9, placing it among the highest severity levels.
Patchstack urges administrators to apply the latest patch immediately or restrict the scanner’s privileges if they cannot install updates right away. The company also encourages hosting providers to contact CloudLinux and Imunify360 directly to confirm any exposure and decide what steps they must take to reduce further risk.
