Website security products from Imunify360, designed for Linux-based web hosting environments and used to protect an estimated 56 million sites as of October 2024, were recently found to be affected by a serious vulnerability. This flaw, identified by security company Patchstack, impacts the Imunify360 antivirus and its underlying Ai-Bolit malware scanner, which is also used in ImunifyAV+ and ImunifyAV. The weakness is a critical security vulnerability that allows an attacker to execute arbitrary code, potentially leading to a full compromise of the hosting environment.
The vulnerability is triggered when the affected product scans a specially crafted file uploaded by an attacker. Cloud Linux Software, the developer of Imunify360, issued an advisory on November 4, 2024, confirming the critical nature of the flaw, though they have not assigned a CVE identifier. A patch to address the issue has been available since October 21, highlighting the importance for hosting providers to update their installations immediately to mitigate the risk.
According to Oliver Sild, CEO of Patchstack, the major concern is the method of exploitation on shared hosting services. An attacker could simply sign up for a shared hosting account and intentionally upload the bait malware file designed to trigger the vulnerability upon scanning. Because the malware scanner runs with elevated privileges—often root privileges—the malicious code planted inside the file would be executed with the same powerful permissions, essentially bypassing the system’s security.
This elevation of privilege poses a catastrophic risk, especially in a shared hosting context. Shared servers often house hundreds of customer sites that must be strictly isolated from one another. Since the vulnerable scanner runs with the highest level of system privileges, a successful exploitation could grant the attacker access to all other sites hosted on that shared server, completely undermining the security and isolation measures intended to protect different customers’ data and applications.
The security firm Patchstack has made technical details and a proof-of-concept (PoC) exploit publicly available to help the security community understand the threat. While information about the flaw has been circulating since late October, Patchstack could not confirm whether it has been exploited in real-world attacks. Hosting providers using Imunify360 and related products are strongly advised to verify that the patch has been applied and to thoroughly check their systems for any signs of compromise.
Reference:
