<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">
2026 HOSTING INDUSTRY REVIEW
We Need Your Insights. Take part to win a $500 gift card.
Join the Survey
Nov 17, 2025 4:41:41 PM
Dmitry Tkachuk
Dmitry Tkachuk
Imunify Security, Product Owner

Security Advisory: Imunify AI-Bolit Vulnerability

We are issuing this security advisory regarding a vulnerability discovered in the AI-Bolit component of Imunify products. A patch for this vulnerability was released on October 23, 2025, and has already been automatically deployed to the vast majority of servers.

imunify_aibolit_security_advisory

Summary

  • A vulnerability was discovered and reported to us via responsible disclosure.
  • We immediately developed a security patch. That patch was released on October 23, 2025.
  • As of November 17, 2025, the vast majority of Imunify servers have already been automatically updated and secured.
  • We have no evidence of this vulnerability being exploited in the wild.
  • No suspicious activity has been reported by any customer.

 

Affected Products

Products: Imunify360, ImunifyAV+, ImunifyAV
Component: AI-Bolit
Versions: before 32.7.4-1

 

Vulnerability Details

The vulnerability was found in the deobfuscation logic of the AI-Bolit component. An attacker could craft a malicious payload that could cause the scanner to execute arbitrary code and escalate privileges to root.

In ai-bolit-hoster.php, the deobfuscation functions deobfuscateDeltaOrd and deobfuscateEvalHexFunc call Helpers::executeWrapper() (which wraps call_user_func_array()) on strings extracted directly from scanned files.

Because these strings were not filtered by Helpers::convcrafted payload could invoke arbitrary PHP functions.

This vulnerability had two potential attack vectors: one via file scanning and another via database scanning. Our patch resolved both of these vectors simultaneously. It does this by implementing a strict whitelist of safe functions that the deobfuscator is permitted to call.

A CVE ID is pending assignment for this vulnerability.

 

Recommended Action

Upgrade ai-bolit package to version 32.7.4-1 or later:

yum update ai-bolit

For Debian based package managers:

apt-get update
apt-get install --only-upgrade ai-bolit

For CentOS 6:
A backported fix is available as version 32.1.10-2.32.7.4.

 

Version Check

To check what version of AI-Bolit is installed, use the following CLI commands:

For CentOS/CloudLinux/AlmaLinux:

rpm -qa | grep ai-bolit

For Debian/Ubuntu:

dpkg -l | grep ai-bolit

 

Temporary Workaround

If you are unable to upgrade AI-Bolit right away, there is a temporary workaround. Disable all types of file scans (scheduled, real-time, FTP scans, ModSecurity uploads) until the patch is applied.

You can do this by editing your configuration files to set the following:

MALWARE_SCANNING:
  enable_scan_pure_ftpd: False
  enable_scan_modsec: False
  scan_modified_files: False
  enable_scan_cpanel: False
  crontabs: False

MALWARE_SCAN_SCHEDULE:
  interval: 'NONE'

PERMISSIONS:
  allow_malware_scan: False

 

Or allow scheduled scans to trusted users only.

 

Security Philosophy

Our primary responsibility is to fix problems and secure our customers. Announcing a vulnerability before a patch is widely deployed is irresponsible and serves only to help attackers. Our process is to:

  1. Find and fix the issue.
  2. Deploy the patch silently and automatically to protect the maximum number of users.
  3. Proactively contact any users who have not updated automatically.
  4. Once our users are secure, we disclose the matter publicly.

This incident also highlights the importance of automatic updates. They are the single best way to ensure your servers are protected from threats the moment a patch is available. Please ensure auto-updates are enabled in your environment.

 

Acknowledgements

We thank Aleksejs Popovs for responsibly reporting this vulnerability and coordinating disclosure with the Imunify team.

 

References

 

If you have any questions, please contact our support team.

Security Advisory: Imunify AI-Bolit Vulnerability

Nov 17, 2025 4:41:41 PM
Dmitry Tkachuk Dmitry Tkachuk

We are issuing this security advisory regarding a vulnerability discovered in the AI-Bolit component of Imunify products. A patch for this vulnerability was released on October 23, 2025, and has already been automatically deployed to the vast majority of servers.

imunify_aibolit_security_advisory

Summary

  • A vulnerability was discovered and reported to us via responsible disclosure.
  • We immediately developed a security patch. That patch was released on October 23, 2025.
  • As of November 17, 2025, the vast majority of Imunify servers have already been automatically updated and secured.
  • We have no evidence of this vulnerability being exploited in the wild.
  • No suspicious activity has been reported by any customer.

 

Affected Products

Products: Imunify360, ImunifyAV+, ImunifyAV
Component: AI-Bolit
Versions: before 32.7.4-1

 

Vulnerability Details

The vulnerability was found in the deobfuscation logic of the AI-Bolit component. An attacker could craft a malicious payload that could cause the scanner to execute arbitrary code and escalate privileges to root.

In ai-bolit-hoster.php, the deobfuscation functions deobfuscateDeltaOrd and deobfuscateEvalHexFunc call Helpers::executeWrapper() (which wraps call_user_func_array()) on strings extracted directly from scanned files.

Because these strings were not filtered by Helpers::convcrafted payload could invoke arbitrary PHP functions.

This vulnerability had two potential attack vectors: one via file scanning and another via database scanning. Our patch resolved both of these vectors simultaneously. It does this by implementing a strict whitelist of safe functions that the deobfuscator is permitted to call.

A CVE ID is pending assignment for this vulnerability.

 

Recommended Action

Upgrade ai-bolit package to version 32.7.4-1 or later:

yum update ai-bolit

For Debian based package managers:

apt-get update
apt-get install --only-upgrade ai-bolit

For CentOS 6:
A backported fix is available as version 32.1.10-2.32.7.4.

 

Version Check

To check what version of AI-Bolit is installed, use the following CLI commands:

For CentOS/CloudLinux/AlmaLinux:

rpm -qa | grep ai-bolit

For Debian/Ubuntu:

dpkg -l | grep ai-bolit

 

Temporary Workaround

If you are unable to upgrade AI-Bolit right away, there is a temporary workaround. Disable all types of file scans (scheduled, real-time, FTP scans, ModSecurity uploads) until the patch is applied.

You can do this by editing your configuration files to set the following:

MALWARE_SCANNING:
  enable_scan_pure_ftpd: False
  enable_scan_modsec: False
  scan_modified_files: False
  enable_scan_cpanel: False
  crontabs: False

MALWARE_SCAN_SCHEDULE:
  interval: 'NONE'

PERMISSIONS:
  allow_malware_scan: False

 

Or allow scheduled scans to trusted users only.

 

Security Philosophy

Our primary responsibility is to fix problems and secure our customers. Announcing a vulnerability before a patch is widely deployed is irresponsible and serves only to help attackers. Our process is to:

  1. Find and fix the issue.
  2. Deploy the patch silently and automatically to protect the maximum number of users.
  3. Proactively contact any users who have not updated automatically.
  4. Once our users are secure, we disclose the matter publicly.

This incident also highlights the importance of automatic updates. They are the single best way to ensure your servers are protected from threats the moment a patch is available. Please ensure auto-updates are enabled in your environment.

 

Acknowledgements

We thank Aleksejs Popovs for responsibly reporting this vulnerability and coordinating disclosure with the Imunify team.

 

References

 

If you have any questions, please contact our support team.
Subscribe to Imunify security Newsletter
aicpa soc
pci-dss
eu gdpr compliant
© All rights reserved. Imunify360 and CloudLinux Backup are the registered trademarks of CloudLinux Inc.