Critical warning: max-severity LiteSpeed cPanel flaw under active exploitation
- 16 hours ago
- 2 min read
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical security vulnerability found in the LiteSpeed plugin for cPanel. Alarmingly, officials have confirmed that cybercriminals are already actively exploiting this flaw in real-world attacks, posing a severe threat to server environments worldwide.
The Danger and mechanics of CVE-2026-48172
This vulnerability, tracked as CVE-2026-48172, has received a maximum severity score of 10.0 out of 10.0 on the CVSS scale. The root cause stems from an incorrect permission validation flaw within the LiteSpeed plugin for cPanel.
What makes this issue exceptionally dangerous is that attackers do not need prior administrative rights or complex exploit chains. With just basic, low-level user access, they can directly escalate their privileges to the absolute top. Once they gain this total control, they can freely modify server configurations, deploy malicious software, or plant hidden backdoors to maintain long-term access to the system.
Which systems are at risk?
Furthermore, if a server lacks proper monitoring and auditing tools, these attacks can fly under the radar for a long time. Armed with root privileges, hackers can tamper directly with system processes, modify active services, or set up stealthy background tasks. This makes the process of auditing, investigating, and recovering a compromised system highly complex and challenging for hosting providers.
Government mandates and immediate remediation
While LiteSpeed has confirmed active exploitation, they have kept specific technical attack details confidential for security reasons. However, to help defenders protect their systems, the company shared an Indicator of Compromise (IoC) to check for signs of a breach:
How to check: System administrators should review their cPanel logs for requests containing the string cpanel_jsonapi_func=redisAble. If any anomalous entries matching this pattern are discovered, administrators are advised to immediately verify the originating IP address and block suspicious connections.
For long-term protection, LiteSpeed quickly released an initial fix in version 2.4.5. Following further audits to eliminate potential alternative attack vectors, the company rolled out cPanel plugin version 2.4.7 combined with WHM Plugin version 5.3.1.0.
Hosting platforms remain prime targets
This incident comes just weeks after another severe cPanel vulnerability, CVE-2026-41940, was exploited by threat actors to distribute variants of the Mirai botnet and a strain of ransomware known as "Sorry." These back-to-back incidents serve as a stark reminder that web hosting platforms remain highly lucrative targets for cybercriminals aiming to hijack server resources and scale their malicious infrastructures.
IPSIP Vietnam: delivering leading cybersecurity solutions for enterprises
Rooted in over 15 years of rich experience spanning back to France, the IPSIP Vietnam ecosystem positions itself as a premier strategic partner. We offer a sharp, comprehensive understanding of risk management and autonomous malware interception tailored for the digital era.
IPSIP Vietnam’s management and monitoring systems have successfully cleared rigorous audits to achieve world-class information security certifications, including ISO 27001:2022 and SOC 2 Type II. By providing critical, round-the-clock (24/7) services-such as our Security Operations Center (SOC), Network Operations Center (NOC), and a dedicated IT Support/Helpdesk squad-IPSIP guarantees immediate response and mitigation against any intrusion attempt, day or night. Partnering with our elite technical experts allows businesses to completely eliminate compliance and legal risks, freeing up vital resources to focus on growth objectives.
References
https://www.scworld.com/news/cisa-adds-litespeed-cpanel-plugin-bug-to-exploited-vulnerabilities-list
Comments