There is a vulnerability in some versions of the Imunify360 web server security platform that can allow an attacker to execute arbitrary code in some specific circumstances.
The vulnerability is a PHP deserialization issue and it exists in versions 5.8 and 5.9 of Imunify360, a product designed to detect malware and other security issues on web-hosting servers. Researchers at Cisco Talos discovered the vulnerability, which is in the Ai-Bolit functionality of the product. The researchers found that an attacker can exploit it in a couple of different ways.
The flaw “could be triggered automatically just after the attacker creates a malicious file in the system if Immunify is configured with real-time file system scanning. It could also be triggered if the user scans a malicious file provided by the attacker with Ai-Bolit scanner. The attacker could cause a deserialization condition with controllable data and then execute arbitrary code,” the Talos advisory says.
The specific component that contains the vulnerability, Ai-Bolit, is installed by default and is meant to scan files for malware. Talos reported the flaw to CloudLinux, which sells Imunify360, and the vendor released fixed versions to address it.
Server administrators running vulnerable versions of Imunify360 should upgrade as soon as possible, especially now that information about the vulnerability is public.