CISA Orders Federal Agencies to Patch Actively Exploited cPanel LiteSpeed Plugin (CVE‑2026‑48172) Within 4 Days
What Happened — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive giving all federal agencies four days to remediate a critical privilege‑escalation flaw (CVE‑2026‑48172) in LiteSpeed’s cPanel user‑end plugin. The vulnerability allows unauthenticated remote attackers to execute arbitrary scripts with root privileges and is already being leveraged in the wild.
Why It Matters for TPRM —
- The flaw resides in a widely‑deployed hosting control panel; any third‑party SaaS, web‑hosting, or managed‑service provider that uses cPanel could be compromised.
- Active exploitation means attackers can gain full control of compromised servers, potentially pivoting to customer data or downstream services.
- Federal‑mandated remediation timelines signal heightened risk; private‑sector vendors should treat the directive as a best‑practice deadline.
Who Is Affected — Cloud‑hosting providers, MSPs, SaaS platforms, and any organization that runs cPanel/LiteSpeed on Linux servers (technology, SaaS, cloud‑infrastructure sectors).
Recommended Actions —
- Verify cPanel plugin version; any version between v2.3 and v2.4.4 is vulnerable.
- Apply LiteSpeed’s latest security update immediately; follow vendor patch instructions.
- Run the provided grep command to detect exploitation attempts and block suspicious IPs.
- Review logs for unauthorized script execution and conduct a post‑patch validation of root‑level access controls.
Technical Notes — The vulnerability stems from improper privilege handling in the lsws.redisAble function, allowing remote code execution via the Redis enable/disable feature. No CVE‑specific mitigations exist beyond the vendor patch. Source: BleepingComputer