U.S. CISA adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
May 28, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds LiteSpeed cPanel Plugin flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the LiteSpeed cPanel Plugin flaw CVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog.

CVE-2026-48172 (CVSS score of 10.0) affects the LiteSpeed User-End cPanel plugin before version 2.4.5 and allows privilege escalation, potentially up to root, and has been exploited in the wild. The flaw comes from improper handling of Redis enable/disable functions. Attackers can abuse it to run unauthorized actions on affected servers. Detection involves searching cPanel logs for suspicious Redis-related API calls, while mitigation requires upgrading to at least version 2.4.7 and reviewing logs and IP activity for signs of compromise.

LiteSpeed released emergency patches for CVE-2026-48172, warning that the flaw is actively exploited in cPanel user-end plugin versions v2.3 through v2.4.4. Admins should update immediately and check logs with a provided grep command to detect suspicious IP activity and investigate possible compromise.

“Any cPanel user (including an attacker or a compromised account) may exploit the lsws.redisAble function to execute arbitrary scripts as root.” reads the advisory. “This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4.”

Run this command to check if your server is affected:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

If it returns no output, your server is not affected. If it returns results, review the listed IPs, verify if they are legitimate, block suspicious ones, and check system logs to assess any potential impact or unauthorized actions.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by May 29, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)