ImageMagick Zero-Day Enables RCE on Linux and WordPress Servers

Summary

Octagon Networks disclosed a critical zero-day vulnerability in ImageMagick that allows Remote Code Execution through specially crafted image uploads using a "magic byte shift" technique to bypass file validation. The flaw affects Ubuntu, Debian, Amazon Linux, and WordPress installations, with the vulnerability exploitable even with restrictive security policies because ImageMagick delegates processing to GhostScript. A patch was quietly added in November 2025 but never officially labeled as a security update, leaving most systems vulnerable until 2027.

Full text

SecurityImageMagick Zero-Day Enables RCE on Linux and WordPress Servers New research from Octagon Networks reveals a critical zero-day ImageMagick vulnerability that allows Remote Code Execution (RCE) via simple image uploads affecting Ubuntu, Amazon Linux, and WordPress. This magic byte shift bypasses even the most secure policies. byDeeba AhmedApril 1, 20262 minute read A widespread security crisis has hit ImageMagick, the ubiquitous, highly popular software tool used by millions of websites to process and resize images. This discovery, made by Octagon Networks using their autonomous engine pwn.ai, reveals that simply uploading a specifically crafted picture, even a standard .jpg, could allow hackers to achieve Remote Code Execution (RCE) and take complete control of a web server. Most websites use ImageMagick for the technical heavy lifting of image processing. As we know it, security systems usually check file extensions like .png for safety, but researchers found that ImageMagick looks deeper into a file’s internal code. By using a technique they called a magic byte shift, an attacker can disguise a dangerous script as a harmless photo. “pwn.ai identified ImageMagick as the primary attack vector. Given there was nothing else on the application, the agent did something unusual: it downloaded ImageMagick into its own sandboxed environment and began a multi-day, systematic audit of the entire processing pipeline,” researchers wrote in the blog post. A Failure of Recommended Defences According to Octagon Networks’ research, the software is far too trusting of these hidden characters, allowing hackers to bypass security rules entirely. The problem is worsened because ImageMagick often acts as a middleman, handing complex files to a secondary tool called GhostScript. Further investigation revealed that even when the main software was told to block certain files, it still passed them to GhostScript to execute malicious commands. This allows an attacker to read private passwords or write new files to create a permanent backdoor. Furthermore, attackers can use the Magick Scripting Language (MSL) to escape security sandboxes and move files anywhere on a computer’s hard drive. This discovery affects almost every major Linux distribution, including Ubuntu 22.04, Debian, and Amazon Linux. Even the most restrictive settings failed to stop the attack, with researchers noting that “the ‘secure’ policy’s primary defense mechanism is completely non-functional” on many systems because of how different tools are bundled together. Impact on WordPress This research, shared exclusively with Hackread.com, also highlights a serious risk to WordPress websites, especially those using plugins like Gravity Forms. A single upload can even be used to crash a server by filling its temporary memory with over 1TB of data in less than a second, knocking the site offline instantly. While a fix was added to some versions in November 2025, it was never officially labelled as a security update. This means most standard servers, including the widely used Ubuntu setup, will remain vulnerable until 2027 unless owners manually intervene. Researchers conclude that the lack of a formal warning has left a massive gap in global security, leaving many administrators unaware of the risk. With no automated patch on the horizon, the responsibility now falls on site owners to harden their systems against this invisible threat. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts 0dayCybersecurityImageMagickOctagon NetworksRCEVulnerabilityWordpress Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Attacks Security US Navy Developing Cyber Protection System to Protect Ships from Cyberattacks The experts over at United States Navy are busy in the development of a cyber-protection system, codenamed RHIMES… byFarzan Hussain Security Malware New Agent Tesla variant steals passwords from web browsers & VPNs The new variant of Agent Tesla is equipped with many sophisticated features. byWaqas Security Leaks Cloud communication firm exposes millions of sensitive text messages to public access There’s bad news for those who rely upon SMS-based 2FA authentication. A Berlin-based security researcher Sébastien Kaul has… byWaqas Hacking News Leaks Security Dating Website “Muslim Match” Hacked; Everything Leaked Online Muslim Match dating website suffers massive data breach — Hackers leak everything along with users’ private messages! A… byCarolina

Indicators of Compromise

• malware — ImageMagick RCE via magic byte shift
• malware — GhostScript exploitation chain
• malware — Magick Scripting Language (MSL) sandbox escape