CVE-2026-48172: CISA Gives Federal Agencies 4 Days to Patch LiteSpeed cPanel Plugin Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies four days to secure their servers against a critical privilege escalation vulnerability in the LiteSpeed user-end cPanel plugin. CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog on May 26, 2026, with a patch deadline of midnight on May 29. Attackers are already exploiting the flaw in the wild, and every server running an affected plugin version is at risk of full root compromise.

CVE-2026-48172

What Is CVE-2026-48172?

CVE-2026-48172 is a critical privilege escalation vulnerability in the LiteSpeed user-end cPanel plugin for Linux servers. Security researcher David Strydom discovered and reported the flaw to LiteSpeed Technologies on May 19, 2026.

The vulnerability stems from an incorrect privilege assignment weakness (CWE-266) inside the lsws.redisAble function, which handles enabling and disabling Redis features. Because of this mishandling, any cPanel user, including an attacker or a compromised account, can invoke the function to execute arbitrary scripts with root privileges on the server.

Under the CVSS 4.0 scoring system, this vulnerability receives a perfect score of 10.0 CRITICAL. The attack vector is network-based, requires no authentication, no special privileges, and no user interaction. A remote attacker starts with zero access and ends with root control over the entire machine.

This kind of server-level privilege escalation is exactly what the Verizon 2026 Data Breach Investigations Report flagged as the defining threat of the year: for the first time in 19 years, exploiting software vulnerabilities has overtaken stolen credentials as the primary way attackers break into corporate networks.

Which Versions Are Affected?

The vulnerability affects the following plugin versions on Linux platforms:

PluginAffected VersionsFixed Version
LiteSpeed cPanel User-End Pluginv2.3 through v2.4.4v2.4.7 or higher
LiteSpeed WHM Pluginv0 through v5.3.0.xv5.3.1.0 or higher

The WHM plugin and the user-end cPanel plugin ship together. Updating to WHM Plugin v5.3.1.0 automatically installs cPanel plugin v2.4.7, which is the minimum safe version.

LiteSpeed’s initial patch arrived in v2.4.5 on May 19, 2026, alongside cPanel pushing an uninstall command for the affected plugin. LiteSpeed then completed a full security review with the cPanel/WebPros team and released v2.4.7 and WHM Plugin v5.3.1.0 on May 21, 2026, closing additional potential attack vectors discovered during the review. No exploitation of those secondary vectors has been reported.

How CVE-2026-48172 Exploits the lsws.redisAble Function

Attackers exploit CVE-2026-48172 by calling the lsws.redisAble function through the cPanel JSON API. The function incorrectly assigns root-level privileges during Redis enable/disable operations, allowing the caller to inject and run arbitrary scripts at the highest system level.

Because the exploit requires no prior privileges, any user with cPanel access on a shared hosting environment can attempt it. On a multi-tenant server, a single compromised or malicious cPanel account gives an attacker full root access to every other site and account hosted on that machine.

This attack pattern follows the same playbook seen in recent high-profile server-side campaigns. The Ghost CMS CVE-2026-26980 SQL injection flaw saw active exploitation across 700 domains within days of public disclosure. Widely deployed server plugins with elevated access are priority targets because a single exploit scales across thousands of servers simultaneously.

How to Detect Exploitation on Your Server

LiteSpeed and CISA both recommend running the following detection command directly on your Linux server:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

Interpret the results as follows:

No output: Your server has no evidence of exploitation through this vulnerability.

Output present: Your server may have been targeted. Take these steps immediately:

  1. Review every IP address in the output.
  2. Identify any unauthorized or suspicious IPs.
  3. Block unauthorized IPs at the firewall level.
  4. Examine your system logs for any actions those IPs performed after access.

If you need assistance analyzing the results, LiteSpeed’s support team can help you investigate further.

How to Fix CVE-2026-48172

Updating the plugin is the only complete fix. Follow these steps:

  1. Log in to your WHM (Web Host Manager) control panel.
  2. Navigate to the LiteSpeed plugin management section.
  3. Update to LiteSpeed WHM Plugin v5.3.1.0 or higher, which bundles cPanel user-end plugin v2.4.7.
  4. Verify the installed version after the update completes.

If you cannot upgrade immediately, LiteSpeed provides the following emergency uninstall command to remove the vulnerable user-end plugin from your server:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

Running this command removes the attack surface entirely until you can apply the full update. Refer to LiteSpeed’s official security advisory for full patch notes and version history.

For organizations running cloud-hosted infrastructure on behalf of federal agencies, CISA’s guidance specifies: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Why CISA Added CVE-2026-48172 to the Known Exploited Vulnerabilities Catalog

CISA’s Known Exploited Vulnerabilities catalog is not a list of every known CVE. It is a curated list of vulnerabilities with confirmed real-world exploitation. CISA adds a vulnerability only when it meets three conditions: an assigned CVE ID, clear remediation guidance, and reliable evidence of active exploitation in the wild. Less than 4% of all known CVEs ever make it onto the KEV.

Under Binding Operational Directive 22-01, all U.S. Federal Civilian Executive Branch (FCEB) agencies must patch KEV-listed vulnerabilities within the mandated timeframe. For CVE-2026-48172, that deadline is midnight on May 29, 2026, four days after CISA added it to the catalog on May 26. The short window reflects the active exploitation already underway.

BOD 22-01 legally binds only FCEB agencies, but CISA strongly urges all organizations, including private sector and critical infrastructure operators, to treat KEV entries as immediate patch priorities. CISA’s own data reinforces why: of all CVEs that eventually see exploitation, 42% face active attacks on day zero of disclosure, 50% within two days, and 75% within 28 days. There is no safe waiting period once a flaw reaches the KEV.

CISA also notes that this class of vulnerability, a privilege escalation flaw in widely deployed server software, “is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” The same infrastructure risks extend to any hosting provider, managed service operator, or enterprise running LiteSpeed on cPanel-managed Linux servers.

The exploitation of trusted, widely deployed software infrastructure is a consistent theme in 2026 attacks. Hackers used Kash Patel’s website to deliver infostealer malware to visitors, demonstrating how attackers weaponize legitimate, trusted systems rather than always attacking from the outside. A server plugin with root access running on thousands of shared hosting environments represents exactly the kind of trusted infrastructure that attackers prioritize.

Organizations that use Microsoft Defender for Endpoint alongside their hosting infrastructure can now benefit from automatic device isolation as part of attack disruption workflows, but server-side patching remains the primary and only complete defense against CVE-2026-48172. Endpoint tools do not substitute for a plugin update on a cPanel server.

Related Guides

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply