Vulnerability Management, Patch/Configuration Management

CISA adds LiteSpeed cPanel plugin bug to exploited vulnerabilities list

Secure By Design Pledge

The Cybersecurity and Infrastructure Security Agency (CISA) on May 26 added a critical LiteSpeed cPanel plugin bug to its Known Exploited Vulnerabilities (KEV) catalog.

The 9.8 bug — CVE-2026-48172 — operates as a privilege escalation flaw and has been actively exploited in the wild.

CISA ordered federal agencies to patch or remove vulnerable versions of the plugin by May 29. LiteSpeed advised security teams to patch to the latest cPanel plugin.  

Security pros were concerned about this case because LiteSpeed has grown into the third largest web server, mainly because it reads Apache configuration natively, letting hosting providers swap Apache for better performance with minimal effort.

Jacob Krell, senior director for secure AI solutions and cybersecurity at Suzu Labs, said that widespread adoption made it the default engine in cPanel shared hosting, where major providers serve millions of sites on LiteSpeed infrastructure.

“CVE-2026-48172 gives any compromised cPanel account root access to the entire server,” said Krell. “Attackers are increasingly targeting the platforms companies depend on rather than company networks directly — and on shared hosting, one compromised server exposes hundreds of tenants through a plugin they never chose.”

Krell added that CVE-2026-41940 compromised approximately 44,000 cPanel servers less than a month ago, so a second critical zero-day in the same ecosystem is a pattern — CISA's two-day remediation deadline reflects that.

“Agentic AI is compressing the window between disclosure and exploitation to hours,” said Krell.

Itai Goldman, co-founder and CTO at Miggo Security, added that in the first case with CVE-2026-41940, a critical 9.8 cPanel bug was weaponized to drop Mirai and ransomware at scale across the same hosting stack. On shared hosting, Goldman said root on one server means every tenant on it is compromised.

“Patch now, run the IOC check, and if you get a hit, assume attacker persistence,” said Goldman. “The deeper lesson is architectural: privileged endpoints exposed by default is the pattern defenders need to stop accepting."

Matan Shavit, GM, North America at Hadrian, added that if a normal customer account, or one that has already been compromised, can be used to get control of the whole server, that’s not just another plugin vulnerability — on a multi-tenant box, one weak account can suddenly put other customers in scope, too.

“I would still be careful with the take that everyone is exposed,” said Shavit. “This is not automatically relevant to every LiteSpeed install. It depends on the affected cPanel plugin being present and reachable in that hosting setup. For hosts running that stack, patch fast and then check for abuse. For everyone else, first scope whether the vulnerable component is actually installed.”

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds