A widespread security crisis has hit ImageMagick, the ubiquitous, highly popular software tool used by millions of websites to process and resize images. This discovery, made by Octagon Networks using their autonomous engine pwn.ai, reveals that simply uploading a specifically crafted picture, even a standard .jpg, could allow hackers to achieve Remote Code Execution (RCE) and take complete control of a web server.
Most websites use ImageMagick for the technical heavy lifting of image processing. As we know it, security systems usually check file extensions like .png for safety, but researchers found that ImageMagick looks deeper into a file’s internal code. By using a technique they called a magic byte shift, an attacker can disguise a dangerous script as a harmless photo.
“pwn.ai identified ImageMagick as the primary attack vector. Given there was nothing else on the application, the agent did something unusual: it downloaded ImageMagick into its own sandboxed environment and began a multi-day, systematic audit of the entire processing pipeline,” researchers wrote in the blog post.
A Failure of Recommended Defences
According to Octagon Networks’ research, the software is far too trusting of these hidden characters, allowing hackers to bypass security rules entirely. The problem is worsened because ImageMagick often acts as a middleman, handing complex files to a secondary tool called GhostScript.
Further investigation revealed that even when the main software was told to block certain files, it still passed them to GhostScript to execute malicious commands. This allows an attacker to read private passwords or write new files to create a permanent backdoor.
Furthermore, attackers can use the Magick Scripting Language (MSL) to escape security sandboxes and move files anywhere on a computer’s hard drive. This discovery affects almost every major Linux distribution, including Ubuntu 22.04, Debian, and Amazon Linux. Even the most restrictive settings failed to stop the attack, with researchers noting that “the ‘secure’ policy’s primary defense mechanism is completely non-functional” on many systems because of how different tools are bundled together.
Impact on WordPress
This research, shared exclusively with Hackread.com, also highlights a serious risk to WordPress websites, especially those using plugins like Gravity Forms. A single upload can even be used to crash a server by filling its temporary memory with over 1TB of data in less than a second, knocking the site offline instantly.
While a fix was added to some versions in November 2025, it was never officially labelled as a security update. This means most standard servers, including the widely used Ubuntu setup, will remain vulnerable until 2027 unless owners manually intervene.
Researchers conclude that the lack of a formal warning has left a massive gap in global security, leaving many administrators unaware of the risk. With no automated patch on the horizon, the responsibility now falls on site owners to harden their systems against this invisible threat.
Deeba Ahmed
