A critical Remote Code Execution (RCE) vulnerability (CVSS 8.2) was discovered in Imunify360 AV (AI-Bolit) before v32.7.4.0, a security product protecting ~56 million websites globally. The flaw stems from unsafe deobfuscation logic that executes malicious PHP functions (e.g., `system()`, `exec()`, `eval()`) when processing attacker-crafted malware samples. Exploitation allows arbitrary command execution, leading to full server compromise—especially severe in shared hosting environments where Imunify360 often runs with root privileges.The vulnerability, disclosed quietly via Zendesk (November 2025) without a CVE or formal advisory, enables attackers to bypass detection via obfuscation techniques (hex escapes, base64/gzinflate chains). Successful attacks could escalate from a single website to complete host takeover, disrupting services for millions. CloudLinux (the vendor) has not issued public warnings beyond a support portal update, leaving many administrators unaware. Immediate patching or mitigation (e.g., isolated containers) is critical to prevent mass exploitation. This marks the second critical RCE in Imunify360 since 2021, highlighting systemic risks in its deobfuscation engine.