CISA Orders 4-Day Patch for Critical cPanel Plugin Flaw
Key Takeaways
- CVE-2026-48172 carries a 10.0 CVSS score and is under active exploitation
- Federal agencies must patch by midnight Friday, May 29
- Affected versions span LiteSpeed cPanel plugin v2.3 through v2.4.4
A Root-Level Flaw in Active Exploitation
CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, triggering an unusually tight remediation window. Under Binding Operational Directive 22-01, federal civilian agencies must patch affected systems by midnight on Friday, May 29. That's four days from disclosure to deadline.
The vulnerability sits in the LiteSpeed cPanel user-end plugin, a tool bundled with the WHM plugin that web hosts use to integrate LiteSpeed's web server. The flaw specifically targets the lsws.redisAble function, which manages Redis caching. An incorrect privilege assignment allows remote attackers with no existing access to execute arbitrary scripts with root privileges.
In plain terms: an attacker starting with zero permissions can gain total administrative control of a server. That's the worst-case scenario for any vulnerability, and it's already happening in the wild.
Which Versions Are Affected
LiteSpeed confirmed that all user-end plugin versions between v2.3 and v2.4.4 are vulnerable. The company released emergency security updates on Thursday, urging immediate upgrades to v2.4.5 or later.
Server administrators can check for exploitation attempts using a single command:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/nullIf this returns any output, LiteSpeed recommends examining the IP addresses in the results. Block any IPs that aren't legitimate, and check system logs for actions those IPs may have taken.
Why the 4-Day Window Matters
BOD 22-01 normally gives agencies 21 days to patch known exploited vulnerabilities. A four-day window signals that CISA views this threat as severe enough to override standard timelines. The agency's language was direct: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
The directive technically applies only to federal agencies. But CISA urged all defenders, including private sector organizations, to prioritize this patch. The reasoning is simple: attackers don't distinguish between government and commercial targets when scanning for vulnerable servers.
What Administrators Should Do Now
- Update the LiteSpeed cPanel user-end plugin to v2.4.5 or later immediately
- Run the grep command above to check for exploitation attempts
- Review system logs for any suspicious activity from flagged IPs
- If patching isn't possible, discontinue use of the plugin until a fix is available
CISA's guidance is straightforward: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
Community discussions on HackerNews and sysadmin forums emphasize that the fix is relatively simple. Patching to v2.4.5+ resolves the issue. Some administrators are choosing to uninstall the user-end plugin entirely if they don't actively need it.
The Broader Pattern
This incident follows a pattern of critical vulnerabilities in web hosting infrastructure components. Earlier this year, CISA issued a similar four-day mandate for an Ivanti flaw exploited as a zero-day. Microsoft has also warned of Defender zero-days under active exploitation.
Web hosting plugins are attractive targets because they often run with elevated privileges and sit on systems hosting multiple websites. A single compromised server can become a launchpad for attacks on dozens of sites and their users.
Logicity's Take
Frequently Asked Questions
What is CVE-2026-48172?
A critical privilege escalation vulnerability in the LiteSpeed cPanel user-end plugin. It allows attackers with no existing access to execute scripts with root (administrator) privileges on affected servers.
Which LiteSpeed plugin versions are vulnerable?
All versions of the cPanel user-end plugin between v2.3 and v2.4.4 are affected. Users should update to v2.4.5 or later.
Does the CISA mandate apply to private companies?
BOD 22-01 legally binds only federal civilian agencies. However, CISA strongly urged all organizations to prioritize this patch given active exploitation in the wild.
How can I check if my server has been targeted?
Run: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null. Any output indicates potential exploitation attempts that should be investigated.
Another recent example of authorities responding to cybersecurity incidents
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
5 Excel Mistakes That Break Your Spreadsheets
Excel looks forgiving until your data stops working. From merged cells to manual formatting, five common beginner habits silently corrupt your spreadsheets. Here's how to fix them before they cost you hours of cleanup.
Samsung, SK Hynix, and Micron All Hit $1 Trillion as DRAM Nears $100B
All three major memory manufacturers have reached trillion-dollar market caps within weeks of each other. Global DRAM revenue hit $97 billion last quarter, driven almost entirely by AI infrastructure demand. Consumer RAM prices remain elevated as supply gets redirected to enterprise customers.
Apple Watch vs Garmin: Which Suits a Gym-Focused Professional?
A Bengaluru-based professional turned to ChatGPT to settle the Apple Watch versus Garmin debate. The AI's verdict highlights a fundamental split: Apple excels at daily life integration while Garmin dominates fitness-first tracking and battery endurance.