Critical Vulnerability in Imunify360 Could Expose Millions of Websites to Attack

A serious security vulnerability has been identified in Imunify360, a popular Linux-based website security suite used to protect web hosting environments. The flaw, if exploited, could allow attackers to execute arbitrary code and gain full control over hosting servers — potentially compromising millions of websites worldwide.

Imunify360 is developed by Cloud Linux Software and, according to vendor data from October 2024, is used to secure more than 56 million websites across shared hosting environments. The vulnerability affects the Ai-Bolit malware scanner, which is also integrated into ImunifyAV+ and ImunifyAV products.

Details of the Vulnerability

The issue was discovered by the website security firm Patchstack, which found that attackers could exploit the flaw by uploading a specially crafted file to a server protected by Imunify360. When the antivirus component scans this file, it triggers the vulnerability, allowing remote code execution (RCE) with elevated privileges.

This could lead to complete compromise of the hosting environment, particularly in shared hosting setups where hundreds of client sites are managed simultaneously.

Cloud Linux Software released a patch for the flaw on October 21, 2025, though it has not yet assigned a CVE identifier. The company publicly acknowledged the issue in a November 4 advisory, describing it as a “critical security vulnerability.”

While Patchstack has not confirmed evidence of active exploitation in the wild, the firm noted that information about the flaw began circulating online in late October — increasing the likelihood of opportunistic attacks.

Potential Impact on Shared Hosting Environments

The risk posed by this vulnerability is particularly severe in shared hosting environments, where multiple customers’ websites are hosted on the same server.

According to Oliver Sild, co-founder and CEO of Patchstack, a malicious actor could sign up for a shared hosting plan with any provider using Imunify360 and upload malware designed to trigger the flaw during antivirus scans.

Because the malware scanner operates with root privileges, the attacker could potentially gain access to every website on the same server, bypassing customer isolation controls.

Sild explained:

Proof-of-Concept and Mitigation

Patchstack has released technical documentation and a proof-of-concept (PoC) exploit to raise awareness and help hosting providers test their systems for exposure.

Recommended Actions:

1. Apply the latest Imunify360 patch immediately (released October 21, 2025).

2. Check for signs of compromise, especially unusual file uploads or privilege escalation attempts.

3. Restrict root-level operations of malware scanners wherever possible.

4. Isolate hosted environments to minimize cross-tenant risk in shared hosting platforms.

Conclusion

The Imunify360 flaw highlights a recurring security challenge in automated protection tools: when these systems run with elevated privileges, any flaw within them can become a single point of failure.

While Cloud Linux Software’s prompt patching mitigates immediate risk, millions of unpatched hosting environments may still be vulnerable. Hosting providers and website owners are urged to update their systems immediately to prevent potential mass compromise.