A critical vulnerability has been discovered in Imunify360 AV, a popular malware-scanning tool used by many web-hosting providers that collectively serve up to 56 million websites.
The flaw affects two core modules of the software: its AI-Bolit file-scanner and the database‐scanning component. Attackers can submit malicious payloads that the scanner de-obfuscates — and then executes — enabling arbitrary code or system-level command execution.
In shared-hosting environments where the scanner runs with elevated privileges, the impact can escalate from a single site compromise to full server takeover.
Security firm Patchstack assessed the vulnerability with a CVSS score of 9.9 and urged admins to patch immediately or isolate the service.
No public CVE has been assigned yet, and the vendor has not made a formal statement despite the risk exposure being publicly documented.
Leave a Comment