A critical vulnerability was recently discovered in Imunify360 AV, a security scanner used by web hosting companies to protect over 56 million websites. An advisory by cybersecurity company Patchstack warns that the vulnerability can allow attackers to take full control of the server and every website on it.
Imunify360 AV
Imunify360 AV is a malware scanning system used by multiple hosting companies. The vulnerability was discovered within its AI-Bolit file-scanning engine and within the separate database-scanning module. Because both the file and database scanners are affected, attackers can compromise the server through two paths, which can allow full server takeover and potentially put millions of websites at risk.
Patchstack shared details of the potential impact:
“Remote attackers can embed specifically crafted obfuscated PHP that matches imunify360AV (AI-bolit) deobfuscation signatures. The deobfuscator will execute extracted functions on attacker-controlled data, allowing execution of arbitrary system commands or arbitrary PHP code. Impact ranges from website compromise to full server takeover depending on hosting configuration and privileges.
Detection is non-trivial because the malicious payloads are obfuscated (hex escapes, packed payloads, base64/gzinflate chains, custom delta/ord transformations) and are intended to be deobfuscated by the tool itself.
imunify360AV (Ai-Bolit) is a malware scanner specialized in website-related files like php/js/html. By default, the scanner is installed as a service and works with a root privileges
Shared hosting escalation: On shared hosting, successful exploitation can lead to privilege escalation and root access depending on how the scanner is deployed and its privileges. if imunify360AV or its wrapper runs with elevated privileges an attacker could leverage RCE to move from a single compromised site to complete host control.”
Patchstack shows that the scanner’s own design gives attackers both the method of entry and the mechanism for execution. The tool is built to deobfuscate complex payloads, and that capability becomes the reason the exploit works. Once the scanner decodes attacker-supplied functions, it can run them with the same privileges it already has.
In environments where the scanner operates with elevated access, a single malicious payload can move from a website-level compromise to control of the entire hosting server. This connection between deobfuscation, privilege level, and execution explains why Patchstack classifies the impact as ranging up to full server takeover.
Two Vulnerable Paths: File Scanner and Database Scanner
Security researchers initially discovered a flaw in the file scanner, but the database-scanning module was later found to be vulnerable in the same way. According to the announcement: “the database scanner (imunify_dbscan.php) was also vulnerable, and vulnerable in the exact same way.” Both of the malware scanning components (file and database…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
