From zdnet.com
![](https://www.zdnet.com/a/img/resize/63f5f8469ef2bc88d3a2134104242ff0875ba4f6/2020/09/28/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c/istock-1185282377.jpg?width=770&height=578&fit=crop&auto=webp)
A severe PHP deserialization vulnerability leading to code execution has been patched in Imunify360.
Discovered by Cisco Talos researcher Marcin ‘Icewall’ Noga, the vulnerability “could cause a deserialization condition with controllable data and then execute arbitrary code,” leaving web servers open to hijacking.
Tracked as CVE-2021-21956 and issued a CVSSv3 score of 8.2, the security flaw is present in CloudLinux’s Imunify360 versions 5.8 and 5.9. Imunify360 is a security suite for Linux web servers including patch management, domain blacklisting, and firewall features.