CISA gives feds 4 days to patch actively exploited cPanel plugin flaw
Source: Bleeping Computer
Vulnerability details
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user‑end plugin, which is actively being exploited.
- CVE: CVE‑2026‑48172
- Type: Privilege‑escalation
- Root cause: Mishandling of Redis enable/disable features in the
lsws.redisAblefunction, leading to incorrect privilege assignment that allows remote attackers with no privileges to execute arbitrary scripts as root. - Affected versions: All user‑end plugin versions between v2.3 and v2.4.4.
LiteSpeed released urgent security updates on Thursday (blog post) and advises users to update the cPanel user‑end plugin (bundled with the WHM plugin) to the latest version.
Checking for exposure
Run the following command on the server to see if it is vulnerable:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null- If the command returns any output, examine the listed IP addresses.
- Block any IPs that are not legitimate.
- Review system logs for actions taken by those IPs to assess potential damage.
CISA directive
On Tuesday, CISA added the flaw to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch by midnight on Friday, May 29 as mandated by Binding Operational Directive (BOD) 22‑01.
While BOD 22‑01 applies only to federal agencies, CISA urges all defenders—including the private sector—to prioritize patching for CVE‑2026‑48172 and secure their servers promptly.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
“Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”