CISA added two distinct vulnerabilities in the LiteSpeed plugin for cPanel to its Known Exploited Vulnerabilities catalog: the first on May 26, 2026, the second on June 15. Both allow privilege escalation to root on shared hosting servers, where a single compromised account exposes data and sites of all co-tenants. The second entry, with a federal deadline set for June 18, signals the threat is evolving and not contained by patching the initial flaw alone.
- Two distinct CVEs in the same ecosystem: CVE-2026-48172 (Redis, CVSS 9.8) and CVE-2026-54420 (symlink, CVSS 8.5), both with confirmed active exploitation
- The first exploits the
lsws.redisAblefunction to execute scripts as root; the second abuses symlinks on CloudLinux/CageFS servers with FTP or web shell access - CISA imposed two consecutive federal deadlines: May 29 for CVE-2026-48172, June 18 for CVE-2026-54420, the latter under the new BOD 26-04
- Patched versions differ: 2.4.7/5.3.1.0 for the first, 2.4.8/5.3.2.0 for the second; partial patching leaves the symlink vector exposed
How CVE-2026-48172 Works: Redis as a Gateway to Root
The flaw resides in the handling of Redis functionality within the LiteSpeed user-end plugin for cPanel. The API exposes the parameter cpanel_jsonapi_func=redisAble, which an authenticated cPanel user — or an attacker with compromised credentials — can invoke to force execution of scripts with root privileges.
Halo Security documented the mechanism as CWE-266 (Incorrect Privilege Assignment): the lsws.redisAble function does not adequately restrict the calling process's permissions, allowing a breakout from the user's cage. Researcher David Strydom reported the vulnerability to LiteSpeed on May 19, 2026; the company confirmed active zero-day exploitation in versions 2.3 through 2.4.4.
The National Vulnerability Database assigns CVE-2026-48172 a CVSS 3.1 score of 9.8, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H: network, low complexity, no privileges required, full impact on confidentiality, integrity, and availability. CVE.org reports 10.0 on the CVSS 4.0 scale; the discrepancy between the two scoring systems remains unresolved.
"This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4" — LiteSpeed advisory, reported by SecurityWeek and SecurityAffairs
The Second Wave: CVE-2026-54420 and the Symlink Attack
While providers were still patching for Redis, CISA added a second entry on June 15, 2026: CVE-2026-54420, with CVSS 8.5 per CVE.org. The mechanism differs — CWE-61, UNIX Symbolic Link Following — but the exposure context is identical: shared hosting with CloudLinux and CageFS.
Here the attacker needs FTP access or a web shell on the server, conditions less severe than a full cPanel account but still achievable on shared infrastructure with multiple hosting accounts or compromised sites. The LiteSpeed plugin follows user-supplied symlinks, bypassing the containment barriers CageFS is designed to enforce. The official CVE.org record explicitly describes exploitation "in the wild in May 2026."
The report is attributed to Namecheap, dated May 31, 2026. The dossier does not clarify whether Namecheap was a victim or responsible for coordinated disclosure. Patched versions rise to 2.4.8 for the cPanel plugin and 5.3.2.0 for the WHM plugin, higher than the 2.4.7/5.3.1.0 recommended for the first flaw.
Why Two CVEs in the Same Product Signal Fragility
The three-week interval between the two KEV entries, on tightly coupled components, suggests the LiteSpeed plugin's attack surface was not structurally reduced after the first discovery. Fixing the Redis vector did not eliminate the possibility of escalation through other paths — symlinks in this case — that exploit the same premise: the plugin operates with elevated privileges in a multi-tenant environment designed to isolate users who instead share kernel and filesystem.
The shared hosting model is economically entrenched but architecturally exposed to this type of collapse. When a single plugin with root privileges fails, the entire server — dozens or hundreds of sites, databases, SMTP credentials, certificates — becomes recoverable by the attacker. CISA recognized the severity with two aggressive federal deadlines: three days for the first, and for the second a shift from BOD 22-01 to the new BOD 26-04 with risk-based prioritization, which does not ease pressure but makes it more selective.
The dossier does not specify whether the two attacks are attributable to the same actor or campaign. No documented infrastructure overlaps link the Redis and symlink vectors to a single operator at this time.
What to Do Now
- Verify installed version: the user-end plugin must be at least 2.4.8 with WHM plugin 5.3.2.0; 2.4.7/5.3.1.0 fixes only CVE-2026-48172 and leaves the symlink vector active
- Check logs for compromise indicators: run
grep -rE 'cpanel_jsonapi_func=redisAble' /var/cpanel/logs /usr/local/cpanel/logs/for CVE-2026-48172, andgrep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/for CVE-2026-54420 - Audit suspicious cPanel accounts: search for unusual API calls to the redisAble function or symlink operations in user directories, particularly on CloudLinux servers
- Confirm patching with provider: shared hosting users must verify the host has updated beyond 2.4.7, as many may have stopped at the first fix
FAQ
Does risk differ between dedicated servers and shared hosting?
Yes, substantially. On a dedicated server compromise remains confined to the single tenant; on shared hosting the same flaw exposes data of all co-located accounts. The dossier does not quantify the number of affected servers or providers.
Why does CISA have two deadline systems, BOD 22-01 and BOD 26-04?
BOD 22-01 required patching within fixed timelines for all KEV entries. BOD 26-04, activated June 15, 2026, introduces risk-based prioritization: for CVE-2026-54420 the deadline remains three days (June 18), but the framework differs and signals an adaptation of federal policy.
Is CVSS 10.0 or 9.8 correct for CVE-2026-48172?
They are metrics from different versions: 9.8 is the NVD's CVSS 3.1, 10.0 is CVE.org's CVSS 4.0. Both official sources coexist without one invalidating the other; NVD remains the primary reference for many federal organizations.
The sequence of two zero-days in the same product, within such a compressed timeframe, indicates the security of the integration layer between web server and control panels requires deeper revision than single-patch fixes. Shared hosting remains a convenient but inherently exposed architecture: when the performance optimization plugin becomes the compromise channel, the cost of infrastructure savings is measured in incident response days and potential multi-client data exfiltration.
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/06/cisa-flags-litespeed-cpanel-plugin-flaw.html
- https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-litespeed-cpanel-plugin-zero-day/
- https://blog.halosecurity.com/cve-2026-48172-litespeed-cpanel-plugin-privilege-escalation/
- https://techjacksolutions.com/scc-intel/litespeed-cpanel-plugin-privilege-escalation-vulnerability-cve-2026-48172-actively-exploited/
- https://securityaffairs.com/192795/hacking/u-s-cisa-adds-litespeed-cpanel-plugin-flaw-to-its-known-exploited-vulnerabilities-catalog.html
- https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-actively-exploited-cpanel-plugin-flaw/
- https://www.cve.org/CVERecord?id=CVE-2026-54420
- https://nvd.nist.gov/vuln/detail/CVE-2026-48172
- https://nvd.nist.gov/vuln/detail/CVE-2026-48172?ref=blog.halosecurity.com
- https://www.cve.org/CVERecord?id=CVE-2026-48172
- https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog