Skip to main content
Emerging Threats

CISA Mandates Emergency Patch for Exploited cPanel Plugin Flaw

Server room with rows of equipment, focusing on a single server screen displaying a plugin interface.
"This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4," the LiteSpeed team noted.

CVE-2026-48172: what the flaw is and how it works

CVE-2026-48172 is a critical privilege-escalation vulnerability in the LiteSpeed cPanel user-end plugin. According to the advisory, the bug relates to the mishandling of Redis enable/disable features and was found in the lsws.redisAble function. The incorrect privilege assignment allows remote attackers with no privileges to execute arbitrary scripts with root privileges.

CISA's order and the four-day deadline

On Tuesday the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its catalog of vulnerabilities known to be exploited in attacks and ordered U.S. federal agencies to patch affected systems by midnight on Friday, May 29. The patching deadline was issued under Binding Operational Directive 22-01 (BOD 22-01). CISA's action gives federal agencies four days to secure their servers against active exploitation.

CISA noted that BOD 22-01 applies only to U.S. federal agencies, but the agency also urged all defenders — including the private sector — to prioritize CVE-2026-48172 patches and secure servers as soon as possible. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned, and recommended applying vendor mitigations, following BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.

LiteSpeed's response and the immediate checks administrators can run

LiteSpeed released urgent security updates on Thursday and warned users to update the cPanel user-end plugin (which is bundled with the WHM plugin) to the latest version. The vendor provided a concrete check administrators can run to detect potential exploitation attempts. The recommended command is:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

Per LiteSpeed's guidance: if this command returns any output, administrators should examine the IPs listed, determine whether they are valid, and if not, block them. To assess any damage, examine system logs for actions taken by detected IPs.

Immediate defensive steps for affected servers

  • Install the updates LiteSpeed released for the cPanel user-end plugin and bundled WHM plugin without delay; the vendor labeled the updates urgent.
  • Run the provided log-search command to detect calls to the redisAble action and investigate any IPs that appear in the output.
  • Block IPs that are not legitimate and audit system logs to determine whether arbitrary scripts were executed with root privileges.
  • If vendor mitigations are not available or cannot be applied, follow CISA's guidance to discontinue use of the product or apply alternative mitigations per vendor instructions, including cloud-specific BOD 22-01 guidance where applicable.

What this means for U.S. federal agencies, private defenders, and server administrators

  • U.S. federal agencies: The midnight May 29 BOD 22-01 deadline compels agencies to patch or mitigate CVE-2026-48172 immediately and to document compliance steps under the directive.
  • Private-sector defenders: While not covered by the BOD, organizations are urged by CISA to treat this vulnerability as a priority because it is actively exploited and can lead to full system compromise.
  • Server administrators and hosting providers: Anyone running affected user-end plugin versions between v2.3 and v2.4.4 must update, run the log checks recommended by LiteSpeed, and inspect and block suspicious IPs and commands to determine any post-compromise activity.

The combination of an active exploit, a short federally mandated patch window, and a simple log-detection command creates a high-pressure situation for administrators who run the affected LiteSpeed cPanel plugins. With attackers already targeting the lsws.redisAble weakness and the vendor issuing urgent updates, the practical next steps are clear: patch, search logs with the provided command, and block or contain any suspicious IPs while auditing for root-level script execution.

Original reporting: https://www.bleepingcomputer.com/news/security/cisa-gives-feds-4-days-to-patch-actively-exploited-cpanel-plugin-flaw/