CISA Gives Feds 4 Days to Patch Actively Exploited cPanel Plugin Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive giving federal agencies a four-day deadline to patch a critical vulnerability in the LiteSpeed cPanel user-end plugin, following confirmation that the flaw is being actively exploited in the wild. The tight deadline reflects CISA's assessment that the risk of continued exposure outweighs the operational disruption of an emergency patching cycle.

The Vulnerability: LiteSpeed cPanel Plugin

The affected component is the LiteSpeed Cache plugin's cPanel integration — a widely deployed tool used by web hosting providers and shared hosting customers. The vulnerability (CVE-2026-48172) was initially disclosed in May 2026 and quickly added to CISA's Known Exploited Vulnerabilities (KEV) catalog after researchers confirmed exploitation in the wild.

The flaw allows attackers to execute scripts as root on affected cPanel servers — one of the most severe outcomes possible for a server-side vulnerability, granting complete administrative control over the underlying host, all hosted websites, their databases, and any stored credentials.

Why a 4-Day Deadline?

CISA's Binding Operational Directive 22-01, which established the KEV catalog, requires federal civilian agencies to remediate KEV vulnerabilities within defined windows — typically 2–4 weeks for most flaws. The four-day deadline for this vulnerability signals CISA's assessment that:

1. Active exploitation is ongoing — threat actors are already targeting federal and government-adjacent infrastructure
2. Exploitation is relatively straightforward — the vulnerability does not require complex prerequisites, lowering the bar for opportunistic attackers
3. Root-level impact is catastrophic — a successful exploit gives attackers complete control of the host, making rapid response essential
4. cPanel is widely deployed in federal web infrastructure — the attack surface is broad enough to warrant emergency prioritization

Who Is at Risk

The vulnerability affects any server running cPanel with the LiteSpeed plugin installed. While the CISA directive targets federal civilian agencies specifically, the active exploitation applies to:

• Web hosting providers offering cPanel-managed hosting
• Government agencies running cPanel-based web infrastructure
• Enterprises using cPanel for internal or customer-facing web hosting
• MSPs and ISPs managing cPanel deployments on behalf of clients

Security researchers have noted that cPanel is one of the most widely deployed web hosting control panels globally, making this vulnerability a high-priority target for mass exploitation campaigns.

Immediate Patching Steps

Organizations running the affected LiteSpeed cPanel plugin should patch immediately:

# Via cPanel Plugin Manager
# Log into WHM → Plugins → LiteSpeed Web Server Plugin for cPanel
# Update to the latest patched version
 
# Alternative: Update via command line on cPanel/WHM server
/usr/local/cpanel/scripts/restartsrv_litespeed
 
# Check current LiteSpeed plugin version
cat /usr/local/lsws/VERSION
 
# Verify the plugin is updated after patching
whmapi1 getinstalledpackages | grep litespeed

If immediate patching is not possible, restrict access to cPanel/WHM management interfaces to trusted IP ranges using WHM's Host Access Control or firewall rules:

# Restrict cPanel (port 2082/2083) and WHM (2086/2087) access
# Example using CSF (ConfigServer Security & Firewall)
csf -a <trusted-admin-ip> # Allow only known admin IPs
# Block external access to management ports if not already done
ufw deny 2082 && ufw deny 2083 && ufw deny 2086 && ufw deny 2087

Context: The Broader LiteSpeed Attack Wave

This CISA directive comes as part of a broader pattern of exploitation targeting the LiteSpeed ecosystem. In May 2026, researchers documented active exploitation of the LiteSpeed cPanel integration flaw being used to deploy malicious scripts, steal credentials from hosted websites, and establish persistence on compromised hosts.

The vulnerability was previously covered following its initial disclosure. The CISA emergency directive now formally mandates federal remediation and signals to the broader security community that exploitation is active and widespread enough to warrant treating this as a critical incident.

CISA's Known Exploited Vulnerabilities Catalog

CISA's KEV catalog has become a critical prioritization tool for defenders. Vulnerabilities added to the KEV catalog represent flaws with confirmed active exploitation — not theoretical risk. Organizations outside the federal government are strongly encouraged to treat KEV additions as a priority patching signal:

• Federal agencies are legally required to remediate KEV vulnerabilities within CISA-specified windows
• Private sector organizations and critical infrastructure operators should treat KEV additions as high-priority patching signals
• CISA publishes the full catalog at cisa.gov/known-exploited-vulnerabilities-catalog

What to Do Now

For any organization running cPanel with the LiteSpeed plugin:

1. Identify all cPanel servers in your environment with the LiteSpeed plugin installed
2. Apply the patch immediately — update the LiteSpeed plugin to the patched version via WHM or the command line
3. Review server logs for indicators of exploitation (unauthorized script execution, new user accounts, unexpected cron jobs)
4. Restrict management interface access to trusted IP ranges while patching proceeds
5. Monitor for persistence mechanisms — check for unauthorized SSH keys, cron jobs, and web shells in hosted site directories

Source: BleepingComputer

Related Reading

• LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
• CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day
• Critical cPanel and WHM Bug Exploited as a Zero-Day — PoC Now Available