
THE U.S. Cybersecurity and Infrastructure Security Agency has added CVE‑2026‑48172 to its Known Exploited Vulnerabilities catalog after confirming active exploitation of a privilege escalation flaw in the LiteSpeed cPanel Plugin. The vulnerability affects all versions prior to 2.4.5 and permits an authenticated cPanel user to gain root‑level command execution on the underlying server.
The flaw carries a CVSS v3.1 base score of 10.0, rated Critical, and stems from improper handling of Redis functions within the plugin’s user‑end interface. An attacker who can log in to cPanel can trigger the issue over HTTPS without any additional privileges, allowing execution of arbitrary scripts with root privileges as detailed in a SecurityWeek report.
Versions of the LiteSpeed cPanel Plugin older than 2.4.5 are vulnerable, while LiteSpeed has issued patches in release 2.4.5 and recommends upgrading to 2.4.7 as noted in the vendor’s security update. The Iranian‑linked threat group Screening Serpens has been observed exploiting the flaw in the wild and has coupled it with six new remote access Trojan variants to maintain persistence and exfiltrate data, according to Unit 42 research.
CISA has set a mandatory deadline of 29 May 2026 for federal agencies to apply the mitigations, and it urges private organisations to review the Known Exploited Vulnerabilities catalog for similar risks. The vulnerability is reachable over the standard cPanel HTTPS port and does not require any special configuration beyond a legitimate user account, as highlighted in The Hacker News coverage.
Administrators should first verify the installed version of the LiteSpeed cPanel Plugin and upgrade immediately to the patched release, preferably 2.4.7 or later. If the plugin is not required for operations, removing it entirely eliminates the attack surface, and reviewing cPanel access logs for unexpected command execution or new user sessions can help identify compromise.
Enforcing multi‑factor authentication for cPanel accounts and limiting shell access to trusted IPs further reduces the likelihood of successful exploitation. Organisations should incorporate this fix into their regular patch management cycles, test updates in a staging environment before deployment, and consider disabling any unused plugins across their web hosting stacks.
Sharing any indicators of compromise with CISA and participating in information sharing forums helps the broader community defend against similar threats.