CISA has added CVE-2026-48172 in the LiteSpeed user-end cPanel plugin to its Known Exploited Vulnerabilities catalog, giving administrators only until May 29, 2026, to apply vendor mitigations on covered federal systems.[1] The vulnerability matters beyond government networks because it sits in a hosting control-panel plugin: a normal cPanel user, or a compromised shared-hosting account, may be able to run arbitrary scripts as root through the plugin’s Redis enable/disable handling.[2]
LiteSpeed published its security update on May 21 and said the issue was being actively exploited. The affected user-end plugin range is version 2.3 through 2.4.4, while the recommended fixed baseline is LiteSpeed WHM Plugin 5.3.1.0 bundled with cPanel plugin 2.4.7 or later.[2] NVD now tracks the issue as a critical vulnerability, with a CVSS 3.1 score of 9.8 and a CNA CVSS 4.0 base score of 10.0.[3]
The immediate risk is highest for hosting providers, agencies, managed-service operators, and anyone running LiteSpeed’s cPanel integration on shared Linux servers. Shared hosting changes the usual privilege-escalation calculus: a low-privilege customer account, stolen cPanel login, or already-compromised website account can become the starting point for server-wide damage.
What server owners should check now
First, identify whether the user-end cPanel plugin is present and update to the fixed LiteSpeed WHM/cPanel plugin bundle. If you cannot update immediately, LiteSpeed says administrators can remove the user-end plugin to avoid this specific exposure.[2] Do not treat that as a long-term substitute for a clean update plan, because LiteSpeed also used the release to close additional potential attack vectors found during its review.
Second, check for exploitation evidence. LiteSpeed and NVD both point administrators to this grep pattern for cPanel logs:[2][3]
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullNo output is a useful sign, but it is not a complete forensic clean bill. If the command returns entries, validate the source IP addresses, block clearly malicious sources, and review system logs for follow-on actions by those IPs. Because the bug can reach root, the response should include a review of cron jobs, new users, SSH keys, web shells, altered binaries, unexpected outbound connections, and backup integrity.
This is also a good time to compare the incident with earlier hosting-panel emergencies. HowToFix.guide has recently covered an exploited cPanel & WHM authentication-bypass bug and a separate cPanel & WHM patch batch, both reminders that control panels deserve the same urgency as edge devices. If exploitation moved from a web account into the OS layer, the triage starts to resemble any other Linux root-access incident: assume secrets and local credentials may need rotation after containment.
For operators with many servers, the practical priority order is simple: inventory LiteSpeed/cPanel plugin versions, patch or remove the user-end plugin, run the log check centrally, isolate any host with hits, and only then bring affected systems back into normal rotation after credential and persistence review.
References
- CISA, Known Exploited Vulnerabilities Catalog entry for CVE-2026-48172, added May 26, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48172
- LiteSpeed Technologies, “Security Update for LiteSpeed cPanel Plugin,” published May 21, 2026. https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/
- NIST National Vulnerability Database, CVE-2026-48172 detail page. https://nvd.nist.gov/vuln/detail/CVE-2026-48172
Leave a Comment