CISA Mandates Urgent Patch for Actively Exploited LiteSpeed cPanel Flaw Granting Root Access

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert for CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed user-end plugin for cPanel. With a CVSS score of 9.8 (Critical), this flaw allows low-privilege authenticated users to gain full root access to the server. Citing evidence of active exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 26, 2026, and has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply patches by May 29, 2026. The vulnerability affects a widely used web server technology, posing a significant risk to shared hosting environments where a single compromised server can impact hundreds of tenants.

Vulnerability Details

CVE ID: CVE-2026-48172
CVSS Score: 9.8 (Critical)
Description: The vulnerability is a privilege escalation flaw (CWE-266: Improper Privilege Management) within the LiteSpeed user-end plugin for cPanel. It specifically resides in the lsws.redisAble function. An authenticated cPanel user, regardless of their privilege level, can exploit this function to execute arbitrary scripts with root permissions.
Attack Vector: An attacker with valid, low-privilege cPanel credentials can exploit this flaw to achieve full administrative control of the underlying server.

Affected Systems

Product: LiteSpeed User-End cPanel Plugin
Affected Versions: v2.3 through v2.4.4
Patched Version: The vulnerability is addressed in version 2.4.5 of the user-end plugin, which is included in LiteSpeed WHM Plugin version 5.3.1.0 and higher.

Exploitation Status

CISA has confirmed that CVE-2026-48172 is being actively exploited in the wild. The ease of exploitation (requiring only a low-privilege cPanel account) and the high impact (full root access) make this a prime target for attackers. The short remediation deadline imposed by CISA underscores the urgency and widespread threat this vulnerability represents, particularly for web hosting providers and their customers.

Impact Assessment

The impact of exploiting CVE-2026-48172 is severe. Gaining root access allows an attacker to:

Install backdoors, rootkits, or other persistent malware.
Access, modify, or steal sensitive data belonging to all users on the shared server.
Deploy ransomware or cryptominers.
Use the compromised server as a pivot point to launch further attacks against other systems.
Deface websites or disrupt services for all tenants on the server. In a shared hosting environment, the compromise of a single server can lead to a catastrophic multi-tenant data breach, significant financial loss for the hosting provider, and severe reputational damage.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems: Security teams should hunt for:

Type

file_path

Value

/usr/local/cpanel/base/frontend/paper_lantern/lsws/

Description

Directory containing the vulnerable LiteSpeed cPanel plugin files. Check file versions and modification times.

Context

File Integrity Monitoring

Type

command_line_pattern

Value

lsws.redisAble

Description

Suspicious command line activity or script execution involving the lsws.redisAble function.

Context

Process/Command Line Auditing

Type

log_source

Value

cPanel Access Logs

Description

Look for unusual or unauthorized access to the LiteSpeed plugin interface from low-privilege accounts.

Context

Log Analysis / SIEM

Type

process_name

Value

lscpd

Description

Monitor the LiteSpeed cPanel daemon for unusual child processes or unexpected behavior.

Context

EDR / Process Monitoring

Detection Methods

Vulnerability Scanning: Use vulnerability scanners to identify servers running affected versions of the LiteSpeed cPanel plugin.
Log Analysis: Analyze cPanel and system logs for signs of exploitation. Look for logs related to the lsws.redisAble function call, followed by suspicious script execution (e.g., bash, python, perl) by the root user originating from the web server process. D3FEND's Process Analysis can help identify anomalous process chains.
File Integrity Monitoring (FIM): Monitor for unauthorized changes to files within the LiteSpeed plugin directory or the creation of suspicious files in temporary directories like /tmp or /var/tmp.

Remediation Steps

Immediate Patching: The primary remediation is to upgrade to a patched version. Administrators should update the LiteSpeed WHM Plugin to version 5.3.1.0 or higher, which includes the fixed user-end plugin (v2.4.5).
Verify the Update: After updating, verify that the user-end plugin version is 2.4.5 or later.
Workaround: If immediate patching is not possible, the recommended workaround is to completely remove the LiteSpeed user-end cPanel plugin from the server. This will remove the attack vector but will also remove the functionality provided by the plugin.
Hunt for Compromise: After patching, it is crucial to investigate for signs of compromise, as the vulnerability was exploited as a zero-day. Review logs, check for newly created user accounts, and scan for backdoors or other malware.

CISA Adds Critical LiteSpeed cPanel Plugin Vulnerability (CVE-2026-48172) to KEV Catalog