INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

U.S. CISA Adds LiteSpeed Plugin to Known Exploited Vulnerabilities

| 2026-05-28 09:39 CRITICAL HIGH
JSON
Executive Summary AI-generated
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the LiteSpeed cPanel Plugin flaw, CVE-2026-48172, to its Known Exploited Vulnerabilities catalog due to its potential for privilege escalation up to root. This vulnerability affects user-end plugin versions between v2.3 and v2.4.4, posing a significant risk to all affected systems. The agency has ordered federal agencies to fix the vulnerabilities by May 29, 2026, or face consequences.
Technical Mitigations AI-generated
* Upgrade to at least version 2.4.7: This is the recommended mitigation for users of LiteSpeed cPanel Plugin CVE-2026-48172, as it addresses the vulnerability and prevents privilege escalation. * Review logs and IP activity: Regularly check cPanel logs for suspicious Redis-related API calls, and review system logs to detect potential unauthorized actions on affected servers. This can help identify if a server is compromised or has been exploited by an attacker. * Block suspicious IPs: If the "grep" command returns any output from grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null, review the listed IP addresses and block them to prevent further exploitation. However, if no output is returned, it may indicate that the server is not affected. * Verify legitimacy of IPs: If legitimate IPs are found in the list, verify their legitimacy by checking system logs or contacting the hosting provider. This can help determine if they pose a risk or have been compromised. * Run additional security checks: In addition to reviewing logs and IP activity, run other security checks such as scanning for malware, monitoring network traffic, and conducting regular backups of critical data to ensure that any potential compromise is detected and contained promptly.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-41940CVE-2026-41940 CVE-2026-48172CVE-2026-48172
Target & Sectors
Global Scope
Incident Timeline
‎May 23, 2026
Threat actors used a known exploit to target LiteSpeed User-End cPanel Plugin.
organisation Vulnerability / Web Security
 Ravie Lakshmanan  May 23, 2026 Vulnerability / Web Security A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild.
organisation LiteSpeed User-End
 Ravie Lakshmanan  May 23, 2026 Vulnerability / Web Security A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild.
‎2026/05/28
U.S. CISA adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog, CVE-2026-48172.
organisation CVE-2026-48172
CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows privilege escalation, potentially up to root, and has been exploited in the wild.
infrastructure 10.0
CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows privilege escalation, potentially up to root, and has been exploited in the wild.
infrastructure 2.4.5
CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows privilege escalation, potentially up to root, and has been exploited in the wild.
The issue has been addressed in version 2.4.5.
organisation the LiteSpeed User-End cPanel
CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows privilege escalation, potentially up to root, and has been exploited in the wild.
infrastructure 4.4
LiteSpeed released emergency patches for CVE-2026-48172, warning that the flaw is actively exploited in cPanel user-end plugin versions v2.3 through v2.4.4.
“This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4.”
organisation LiteSpeed
LiteSpeed released emergency patches for CVE-2026-48172, warning that the flaw is actively exploited in cPanel user-end plugin versions v2.3 through v2.4.4.
LiteSpeed's WHM plugin is not impacted.
organisation LiteSpeed cPanel Plugin CVE-2026-48172 Exploited
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root.
organisation Root
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root.
infrastructure 2.4.7
Detection involves searching cPanel logs for suspicious Redis-related API calls, while mitigation requires upgrading to at least version 2.4.7 and reviewing logs and IP activity for signs of compromise.
Following a security review of its cPanel and WHM plugins in the wake of the vulnerability, LiteSpeed said it has patched additional potential attack vectors in both plugins and released cPanel plugin version 2.4.7 bundled with WHM plugin version 5.3.1.0.
organisation cPanel
Detection involves searching cPanel logs for suspicious Redis-related API calls, while mitigation requires upgrading to at least version 2.4.7 and reviewing logs and IP activity for signs of compromise.
"Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root," LiteSpeed said .
organisation Redis
Detection involves searching cPanel logs for suspicious Redis-related API calls, while mitigation requires upgrading to at least version 2.4.7 and reviewing logs and IP activity for signs of compromise.
organisation API
Detection involves searching cPanel logs for suspicious Redis-related API calls, while mitigation requires upgrading to at least version 2.4.7 and reviewing logs and IP activity for signs of compromise.
organisation IP
Detection involves searching cPanel logs for suspicious Redis-related API calls, while mitigation requires upgrading to at least version 2.4.7 and reviewing logs and IP activity for signs of compromise.
However, if there is any output, users are advised to examine the IP addresses in the list and determine if they are legitimate, and if not, block them.
infrastructure 5.3.1
Following a security review of its cPanel and WHM plugins in the wake of the vulnerability, LiteSpeed said it has patched additional potential attack vectors in both plugins and released cPanel plugin version 2.4.7 bundled with WHM plugin version 5.3.1.0.
Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability.
organisation WHM
LiteSpeed's WHM plugin is not impacted.
organisation CVSS
If immediate patching is not an option, it's recommended to remove the user-end plugin by running the below command - /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall The development comes weeks after a critical cPanel vulnerability ( CVE-2026-41940 , CVSS score: 9.8) was identified as actively exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry.
organisation Mirai
If immediate patching is not an option, it's recommended to remove the user-end plugin by running the below command - /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall The development comes weeks after a critical cPanel vulnerability ( CVE-2026-41940 , CVSS score: 9.8) was identified as actively exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry.
infrastructure 2.3
The vulnerability impacts all versions of the plugin between 2.3 and 2.4.4.
infrastructure 2.4.4
The vulnerability impacts all versions of the plugin between 2.3 and 2.4.4.
infrastructure 4.7
Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability.
organisation LiteSpeed WHM Plugin
Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability.
organisation v2.4.7
Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability.
‎May 29, 2026
Threat actors exploited a known vulnerability in the LiteSpeed cPanel Plugin used by U.S. CISA, which was patched on May 29, 2026.
Tactical Metrics
Metrics
infrastructure
‎10.0
Software Version
CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows privilege escalation, potentially up to root, and has been exploited in the wild.
Metrics
infrastructure
‎2.4.5
Software Version
CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows privilege escalation, potentially up to root, and has been exploited in the wild.
The issue has been addressed in version 2.4.5.
Metrics
infrastructure
‎2.4.7
Software Version
Detection involves searching cPanel logs for suspicious Redis-related API calls, while mitigation requires upgrading to at least version 2.4.7 and reviewing logs and IP activity for signs of compromise.
Following a security review of its cPanel and WHM plugins in the wake of the vulnerability, LiteSpeed said it has patched additional potential attack vectors in both plugins and released cPanel plugin version 2.4.7 bundled with WHM plugin version 5.3.1.0.
Metrics
infrastructure
‎4.4
Software Version
LiteSpeed released emergency patches for CVE-2026-48172, warning that the flaw is actively exploited in cPanel user-end plugin versions v2.3 through v2.4.4.
“This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4.”
Metrics
infrastructure
‎2.3
Software Version
The vulnerability impacts all versions of the plugin between 2.3 and 2.4.4.
Metrics
infrastructure
‎2.4.4
Software Version
The vulnerability impacts all versions of the plugin between 2.3 and 2.4.4.
Metrics
infrastructure
‎5.3.1
Software Version
Following a security review of its cPanel and WHM plugins in the wake of the vulnerability, LiteSpeed said it has patched additional potential attack vectors in both plugins and released cPanel plugin version 2.4.7 bundled with WHM plugin version 5.3.1.0.
Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability.
Metrics
infrastructure
‎4.7
Software Version
Users are advised to upgrade to LiteSpeed WHM Plugin version 5.3.1.0, which is bundled with cPanel plugin v2.4.7 or higher, to patch the vulnerability.
Intelligence Sources
The Hacker News 2026-05-23
Security Affairs 2026-05-28