The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks.
Tracked as CVE-2026-48172, this privilege escalation vulnerability is related to the mishandling of Redis enable/disable features and was found in the lsws.redisAble function.
The vulnerability stems from an incorrect privilege assignment weakness that enables remote attackers with no privileges to execute arbitrary scripts with root privileges.
LiteSpeed released urgent security updates on Thursday to address the flaw, warning users to update the cPanel user-end plugin (bundled with the WHM plugin) to the latest version.
Users are advised to use the following command to check if their server is vulnerable to CVE-2026-48172 attacks:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
“This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4,” the LiteSpeed team noted.
“If this command results in any output, we recommend you examine the IPs in the list, determine if they are valid, and if not, block them. To determine any damage done, examine the system logs for any actions taken by the detected IPs.”
On Tuesday, CISA added the security flaw to its catalog of vulnerabilities exploited in attacks and ordered U.S. federal agencies to patch their systems by midnight on Friday, May 29, as mandated by Binding Operational Directive (BOD) 22-01.
While BOD 22-01 applies only to U.S. federal agencies, CISA urged all defenders (including the private sector) to prioritize CVE-2026-48172 patches and secure their servers as soon as possible.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
