HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

CISA Orders Federal Agencies to Patch Actively Exploited cPanel LiteSpeed Plugin (CVE‑2026‑48172) Within 4 Days

CISA has given U.S. federal agencies a four‑day deadline to patch a critical, actively exploited privilege‑escalation flaw (CVE‑2026‑48172) in LiteSpeed’s cPanel plugin. The vulnerability enables unauthenticated attackers to run arbitrary scripts as root, putting any third‑party hosting or SaaS provider that uses cPanel at risk.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

CISA Orders Federal Agencies to Patch Actively Exploited cPanel LiteSpeed Plugin (CVE‑2026‑48172) Within 4 Days

What Happened — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive giving all federal agencies four days to remediate a critical privilege‑escalation flaw (CVE‑2026‑48172) in LiteSpeed’s cPanel user‑end plugin. The vulnerability allows unauthenticated remote attackers to execute arbitrary scripts with root privileges and is already being leveraged in the wild.

Why It Matters for TPRM

  • The flaw resides in a widely‑deployed hosting control panel; any third‑party SaaS, web‑hosting, or managed‑service provider that uses cPanel could be compromised.
  • Active exploitation means attackers can gain full control of compromised servers, potentially pivoting to customer data or downstream services.
  • Federal‑mandated remediation timelines signal heightened risk; private‑sector vendors should treat the directive as a best‑practice deadline.

Who Is Affected — Cloud‑hosting providers, MSPs, SaaS platforms, and any organization that runs cPanel/LiteSpeed on Linux servers (technology, SaaS, cloud‑infrastructure sectors).

Recommended Actions

  • Verify cPanel plugin version; any version between v2.3 and v2.4.4 is vulnerable.
  • Apply LiteSpeed’s latest security update immediately; follow vendor patch instructions.
  • Run the provided grep command to detect exploitation attempts and block suspicious IPs.
  • Review logs for unauthorized script execution and conduct a post‑patch validation of root‑level access controls.

Technical Notes — The vulnerability stems from improper privilege handling in the lsws.redisAble function, allowing remote code execution via the Redis enable/disable feature. No CVE‑specific mitigations exist beyond the vendor patch. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/cisa-gives-feds-4-days-to-patch-actively-exploited-cpanel-plugin-flaw/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →