National Cyber Warfare Foundation (NCWF)

U.S. CISA adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog
0 user ratings		2026-05-28 10:19:08
milo
Blue Team (CND)
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the LiteSpeed cPanel Plugin flaw CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows […


U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog.





The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the LiteSpeed cPanel Plugin flaw CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog.





CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows privilege escalation, potentially up to root, and has been exploited in the wild. The flaw comes from improper handling of Redis enable/disable functions. Attackers can abuse it to run unauthorized actions on affected servers. Detection involves searching cPanel logs for suspicious Redis-related API calls, while mitigation requires upgrading to at least version 2.4.7 and reviewing logs and IP activity for signs of compromise.





LiteSpeed released emergency patches for CVE-2026-48172, warning that the flaw is actively exploited in cPanel user-end plugin versions v2.3 through v2.4.4. Admins should update immediately and check logs with a provided grep command to detect suspicious IP activity and investigate possible compromise.





“Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root.” reads the advisory. “This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4.”





Run this command to check if your server is affected:





grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null




If it returns no output, your server is not affected. If it returns results, review the listed IPs, verify if they are legitimate, block suspicious ones, and check system logs to assess any potential impact or unauthorized actions.





According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.





Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.





CISA orders federal agencies to fix the vulnerabilities by May 29, 2026.





Follow me on Twitter: @securityaffairs and Facebook and Mastodon





Pierluigi Paganini





(SecurityAffairs – hacking, CISA)



Source: SecurityAffairs
Source Link: https://securityaffairs.com/192795/hacking/u-s-cisa-adds-litespeed-cpanel-plugin-flaw-to-its-known-exploited-vulnerabilities-catalog.html

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.