CISA gives feds 4 days to patch actively exploited cPanel plugin flaw
A critical privilege escalation vulnerability (CVE-2026-48172) in the LiteSpeed cPanel user-end plugin is actively exploited in the wild. The flaw involves improper privilege assignment in the lsws. redisAble function, allowing remote attackers with no privileges to execute arbitrary scripts with root privileges. LiteSpeed has released urgent security updates to address this issue and recommends updating the plugin immediately. The U. S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated U. S. federal agencies to patch this vulnerability within four days due to active exploitation. The vulnerability affects user-end plugin versions between v2.
AI Analysis
Technical Summary
CVE-2026-48172 is a critical privilege escalation vulnerability in the LiteSpeed cPanel user-end plugin, specifically in the lsws.redisAble function related to Redis enable/disable features. This vulnerability allows remote attackers without privileges to execute arbitrary scripts with root privileges due to incorrect privilege assignment. The flaw affects plugin versions from v2.3 to v2.4.4 and is actively exploited in attacks. LiteSpeed has released urgent security updates to fix the issue. CISA has issued a Binding Operational Directive (BOD 22-01) requiring U.S. federal agencies to patch the vulnerability within four days of notification. The vendor recommends verifying potential exploitation by searching logs for specific Redis-related API calls and blocking suspicious IPs. The vulnerability represents a significant risk to affected systems due to its ability to grant root-level code execution remotely.
Potential Impact
The vulnerability allows remote attackers with no privileges to escalate their privileges to root level and execute arbitrary scripts on affected servers. This can lead to full system compromise, unauthorized access, and control over the affected systems. The vulnerability is actively exploited in the wild, increasing the urgency and risk to organizations running vulnerable versions of the LiteSpeed cPanel user-end plugin. The U.S. federal enterprise is specifically at risk, prompting a mandated patch deadline by CISA.
Mitigation Recommendations
LiteSpeed has released official security updates that address CVE-2026-48172. Users should immediately update the LiteSpeed cPanel user-end plugin to the latest version to remediate this vulnerability. CISA mandates U.S. federal agencies to patch by May 29, 2026, and urges all organizations to prioritize patching or apply vendor-recommended mitigations. Users can check for signs of exploitation by searching server logs for 'cpanel_jsonapi_func=redisAble' and block any suspicious IP addresses. If mitigation is unavailable, discontinuing use of the affected plugin is advised. Patch status is confirmed as fixed by the vendor.
CISA gives feds 4 days to patch actively exploited cPanel plugin flaw
Description
A critical privilege escalation vulnerability (CVE-2026-48172) in the LiteSpeed cPanel user-end plugin is actively exploited in the wild. The flaw involves improper privilege assignment in the lsws. redisAble function, allowing remote attackers with no privileges to execute arbitrary scripts with root privileges. LiteSpeed has released urgent security updates to address this issue and recommends updating the plugin immediately. The U. S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated U. S. federal agencies to patch this vulnerability within four days due to active exploitation. The vulnerability affects user-end plugin versions between v2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48172 is a critical privilege escalation vulnerability in the LiteSpeed cPanel user-end plugin, specifically in the lsws.redisAble function related to Redis enable/disable features. This vulnerability allows remote attackers without privileges to execute arbitrary scripts with root privileges due to incorrect privilege assignment. The flaw affects plugin versions from v2.3 to v2.4.4 and is actively exploited in attacks. LiteSpeed has released urgent security updates to fix the issue. CISA has issued a Binding Operational Directive (BOD 22-01) requiring U.S. federal agencies to patch the vulnerability within four days of notification. The vendor recommends verifying potential exploitation by searching logs for specific Redis-related API calls and blocking suspicious IPs. The vulnerability represents a significant risk to affected systems due to its ability to grant root-level code execution remotely.
Potential Impact
The vulnerability allows remote attackers with no privileges to escalate their privileges to root level and execute arbitrary scripts on affected servers. This can lead to full system compromise, unauthorized access, and control over the affected systems. The vulnerability is actively exploited in the wild, increasing the urgency and risk to organizations running vulnerable versions of the LiteSpeed cPanel user-end plugin. The U.S. federal enterprise is specifically at risk, prompting a mandated patch deadline by CISA.
Mitigation Recommendations
LiteSpeed has released official security updates that address CVE-2026-48172. Users should immediately update the LiteSpeed cPanel user-end plugin to the latest version to remediate this vulnerability. CISA mandates U.S. federal agencies to patch by May 29, 2026, and urges all organizations to prioritize patching or apply vendor-recommended mitigations. Users can check for signs of exploitation by searching server logs for 'cpanel_jsonapi_func=redisAble' and block any suspicious IP addresses. If mitigation is unavailable, discontinuing use of the affected plugin is advised. Patch status is confirmed as fixed by the vendor.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/cisa-gives-feds-4-days-to-patch-actively-exploited-cpanel-plugin-flaw/","fetched":true,"fetchedAt":"2026-05-27T10:18:46.546Z","wordCount":637}
Threat ID: 6a16c506e29bf47b50b1209f
Added to database: 5/27/2026, 10:18:46 AM
Last enriched: 5/27/2026, 10:18:53 AM
Last updated: 5/27/2026, 1:36:22 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.