At a glance: CloudLinux patched a high-risk ImunifyAV/Imunify360 vulnerability in the AI-Bolit scanning engine that enables remote code execution during malware analysis. Field Effect MDR users are automatically alerted if affected and should review related AROs to confirm patch status and follow remediation guidance.
On November 13, 2025, CloudLinux reported on a critical vulnerability in the AI-Bolit malware scanning component of ImunifyAV, a tool widely deployed across Linux-based web hosting environments.
The flaw affects versions prior to 32.7.4.0 and impacts all tiers of the Imunify suite, including the free ImunifyAV, the paid ImunifyAV+, and the broader Imunify360 platform.
The vulnerability allows remote code execution on the server, potentially leading to full compromise of hosted websites. Exploitation of the flaw requires the AI-Bolit scanner to perform active deobfuscation during the analysis phase.
While this feature is disabled by default in the standalone AI-Bolit command-line interface, it's forcibly enabled in all scan modes within Imunify360—including background, on-demand, user-initiated, and rapid scans—meeting the conditions necessary for exploitation.
Researchers demonstrated a proof-of-concept exploit that places a crafted PHP file in the temporary directory, which triggers remote code execution when scanned by the antivirus engine.
As of November 13, no Common Vulnerabilities and Exposures (CVE) identifier has been assigned to this flaw. However, the researchers who discovered it assessed the Common Vulnerability Scoring System (CVSS) to be 8.1, indicating high risk.
CloudLinux, the vendor behind ImunifyAV, released a patch in late October 2025 and backported the fix to older Imunify360 AV versions on November 10, 2025. The backport is likely due to the widespread use of Imunify360 across hosting environments where immediate upgrades may not be feasible. By extending the patch to legacy versions, CloudLinux would reduce exposure for users operating on long-term support configurations or delayed update cycles.
The flaw’s exposure surface includes any Linux server running vulnerable versions of ImunifyAV or its derivatives, making it relevant to MSPs, hosting providers, and enterprise environments with self-managed web infrastructure.
CloudLinux recommends updating to AI-Bolit version 32.7.4.0 or later. Organizations managing Imunify deployments are advised to verify patch levels across all servers and ensure that legacy versions have received the backported fix. Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment.
Disabling AI-Bolit temporarily may reduce exposure, though this limits malware detection capabilities. Monitoring for anomalous activity and reviewing server logs for signs of exploitation is recommended. No additional workarounds have been published.