CISA Orders 4-Day Patch for Critical cPanel Plugin Flaw

Key Takeaways

• CVE-2026-48172 carries a 10.0 CVSS score and is under active exploitation
• Federal agencies must patch by midnight Friday, May 29
• Affected versions span LiteSpeed cPanel plugin v2.3 through v2.4.4

A Root-Level Flaw in Active Exploitation

CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, triggering an unusually tight remediation window. Under Binding Operational Directive 22-01, federal civilian agencies must patch affected systems by midnight on Friday, May 29. That's four days from disclosure to deadline.

The vulnerability sits in the LiteSpeed cPanel user-end plugin, a tool bundled with the WHM plugin that web hosts use to integrate LiteSpeed's web server. The flaw specifically targets the lsws.redisAble function, which manages Redis caching. An incorrect privilege assignment allows remote attackers with no existing access to execute arbitrary scripts with root privileges.

In plain terms: an attacker starting with zero permissions can gain total administrative control of a server. That's the worst-case scenario for any vulnerability, and it's already happening in the wild.

Which Versions Are Affected

LiteSpeed confirmed that all user-end plugin versions between v2.3 and v2.4.4 are vulnerable. The company released emergency security updates on Thursday, urging immediate upgrades to v2.4.5 or later.

Server administrators can check for exploitation attempts using a single command:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

If this returns any output, LiteSpeed recommends examining the IP addresses in the results. Block any IPs that aren't legitimate, and check system logs for actions those IPs may have taken.

Why the 4-Day Window Matters

BOD 22-01 normally gives agencies 21 days to patch known exploited vulnerabilities. A four-day window signals that CISA views this threat as severe enough to override standard timelines. The agency's language was direct: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."

The directive technically applies only to federal agencies. But CISA urged all defenders, including private sector organizations, to prioritize this patch. The reasoning is simple: attackers don't distinguish between government and commercial targets when scanning for vulnerable servers.

What Administrators Should Do Now

1. Update the LiteSpeed cPanel user-end plugin to v2.4.5 or later immediately
2. Run the grep command above to check for exploitation attempts
3. Review system logs for any suspicious activity from flagged IPs
4. If patching isn't possible, discontinue use of the plugin until a fix is available

CISA's guidance is straightforward: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Community discussions on HackerNews and sysadmin forums emphasize that the fix is relatively simple. Patching to v2.4.5+ resolves the issue. Some administrators are choosing to uninstall the user-end plugin entirely if they don't actively need it.

The Broader Pattern

This incident follows a pattern of critical vulnerabilities in web hosting infrastructure components. Earlier this year, CISA issued a similar four-day mandate for an Ivanti flaw exploited as a zero-day. Microsoft has also warned of Defender zero-days under active exploitation.

Web hosting plugins are attractive targets because they often run with elevated privileges and sit on systems hosting multiple websites. A single compromised server can become a launchpad for attacks on dozens of sites and their users.

Frequently Asked Questions

What is CVE-2026-48172?

A critical privilege escalation vulnerability in the LiteSpeed cPanel user-end plugin. It allows attackers with no existing access to execute scripts with root (administrator) privileges on affected servers.

Which LiteSpeed plugin versions are vulnerable?

All versions of the cPanel user-end plugin between v2.3 and v2.4.4 are affected. Users should update to v2.4.5 or later.

Does the CISA mandate apply to private companies?

BOD 22-01 legally binds only federal civilian agencies. However, CISA strongly urged all organizations to prioritize this patch given active exploitation in the wild.

How can I check if my server has been targeted?

Run: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. Any output indicates potential exploitation attempts that should be investigated.

Source: BleepingComputer