CISA Gives Feds 4 Days to Patch Actively Exploited cPanel Plugin Flaw
CISA has ordered U.S. federal agencies to patch CVE-2026-48172, a critical actively exploited vulnerability in the LiteSpeed cPanel plugin, within four days. The privilege escalation flaw allows unauthenticated remote attackers to run arbitrary scripts as root, prompting CISA to urge all organizations to update immediately.
Tracked as CVE-2026-48172, this privilege escalation vulnerability is related to the mishandling of Redis enable/disable features and was found in the lsws.redisAble function. The vulnerability stems from an incorrect privilege assignment weakness that enables remote attackers with no privileges to execute arbitrary scripts with root privileges.
The vulnerability stems from an incorrect privilege assignment weakness that enables remote attackers with no privileges to execute arbitrary scripts with root privileges.
LiteSpeed released urgent security updates on Thursday to address the flaw, warning users to update the cPanel user-end plugin (bundled with the WHM plugin) to the latest version. The LiteSpeed team noted that this vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4.
https://x.com/litespeedtech/status/2057479889930817601
Users are advised to use the following command to check if their server is vulnerable to CVE-2026-48172 attacks: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. If this command results in any output, the company recommends examining the IPs in the list, determining if they are valid, and if not, blocking them. To determine any damage done, examine the system logs for any actions taken by the detected IPs.
CISA warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
On Tuesday, CISA added the security flaw to its catalog of vulnerabilities exploited in attacks and ordered U.S. federal agencies to patch their systems by midnight on Friday, May 29, as mandated by Binding Operational Directive (BOD) 22-01. While BOD 22-01 applies only to U.S. federal agencies, CISA urged all defenders (including the private sector) to prioritize CVE-2026-48172 patches and secure their servers as soon as possible.
CISA warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. The agency stated to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
EXPERT TAKE
Administrators should immediately audit logs with the provided grep command and update any LiteSpeed cPanel user-end plugin versions between v2.3 and v2.4.4 to block active exploitation attempts.
Tap a lens to see what this story means for you.
Reader-supported · Daily Brief
Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.