Ishan Crawford The U.S. Cybersecurity and Infrastructure Security Agency has given federal civilian agencies until midnight Friday, May 29, to scrub a critical LiteSpeed cPanel plugin from their servers or block its exploitation. The window is four days. The standard window under the same binding directive is fourteen to twenty-one.
The bug, CVE-2026-48172, carries a maximum CVSS score of 10.0, is being attacked in the wild, and sits inside a hosting-layer plugin that runs on a web server powering roughly 14% of all websites. Federal exposure is a sliver of what is actually at risk.
What CVE-2026-48172 Lets an Attacker Do
The flaw lives in the lsws.redisAble function inside the LiteSpeed user-end cPanel plugin, which mishandles enable and disable calls for Redis (an in-memory data store used to cache page output). Improper privilege assignment lets any cPanel user, including an attacker who has compromised a low-privileged shared-hosting account, send a crafted JSON API request that runs arbitrary scripts with root permissions.
On a multi-tenant box that is a tenant-to-host jump. One stolen cPanel login becomes a full server takeover, and a full server takeover on a shared host is hundreds, sometimes thousands, of unrelated customer sites in the same blast radius. LiteSpeed says the affected versions run from v2.3 through v2.4.4, with v2.4.5 as the first patched release and v2.4.7 (bundled with WHM plugin v5.3.1.0) as the current recommended target.
What an attacker actually gets, per the vendor advisory and the Common Vulnerabilities and Exposures (CVE) record:
- Arbitrary script execution as
rooton the host operating system - Read and write access to every other cPanel account on the same server
- The ability to install persistent backdoors, exfiltrate databases, or pivot into internal networks the host can reach
- A clean exploit path with no privilege prerequisite beyond a single valid low-tier account
The Web Host Manager (WHM) plugin itself is not vulnerable. The damage vector is purely the user-end plugin, which is the component installed inside every individual cPanel account.
Why the Deadline Is Four Days, Not Twenty-One
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on Tuesday, May 26, and set the Federal Civilian Executive Branch remediation date for Friday, May 29. Three business days. For comparison, Binding Operational Directive 22-01, the rule that governs the KEV catalog, defaults to a two-week deadline for any CVE assigned in 2021 or later, with a six-month window for older entries.
Sub-week deadlines are a statistical anomaly inside the KEV regime. According to runZero’s KEVology analysis, only sixteen entries across the catalog’s history have shipped with a deadline shorter than one week, roughly 1.07% of the list. CVE-2026-48172 is the seventeenth.
The shortening is not random. SC Media reported earlier this month that acting CISA director Nick Anderson and National Cyber Director Sean Cairncross are weighing a formal proposal to cut the KEV default to three days for federal civilian agencies, citing the speed at which AI-assisted tooling can weaponize a published CVE. The LiteSpeed entry, in practice, reads like a test run of the new posture.
| Entry | KEV add | Federal due | Window |
|---|---|---|---|
| CVE-2026-48172 (LiteSpeed cPanel) | May 26 | May 29 | 3 days |
| CVE-2026-41940 (cPanel/WHM auth bypass) | April 28 | May 19 | 21 days |
| Linux kernel “Copy Fail” | May 1 | May 8 | 7 days |
| Typical FCEB CVE (post-2021) | varies | varies | 14 days |
The other read on the short fuse is the exploit itself. A privilege-escalation primitive with no authentication ceiling beyond a single shared-hosting account is the kind of thing automated scanners can chain at scale within hours of disclosure. Field Effect’s writeup and Rescana’s intelligence note both describe the exploitation pattern as opportunistic, not targeted, which is the worse of the two outcomes for a federal CISO who has to defend a perimeter of unknown shared services.
Sub-Week Patch Orders Were a 1% Event Until Now
Treat the four-day timer as a policy signal, not a one-off. The KEV catalog has spent four years training agencies to expect a two-week or three-week clock. Two sub-week deadlines in roughly thirty days, combined with the publicly reported three-day proposal, looks like a regime change in slow motion.
The numbers underneath that signal are unflattering for defenders:
- 16 of ~1,500 KEV entries have ever carried a sub-week deadline, per runZero
- CVSS 10.0 on this flaw, the maximum possible severity rating
- 2.3 through 2.4.4 affected version range, covering roughly two years of LiteSpeed plugin releases
- 5 days from initial vendor report (May 21) to KEV listing (May 26)
A 14% web-server footprint, combined with a privilege bug that requires no privilege to invoke and a script execution path that lands as root, is the profile of vulnerability that lives long after a federal directive expires. The shorter the deadline, the more visibly the gap widens between what BOD 22-01 can compel and what the actual attack surface looks like. The agency can move the federal line. It cannot move the private-sector hosting industry, which is where the LiteSpeed cPanel plugin overwhelmingly runs.
Federal Servers Are a Sliver of the LiteSpeed Surface
BOD 22-01 binds the executive branch civilian agencies. It does not bind the hosting providers most LiteSpeed deployments live on, the agencies that outsource public-facing sites to those hosts, or the small businesses, municipalities, and contractors whose government-adjacent infrastructure runs on shared cPanel boxes.
That gap was the operational lesson of last month’s LiteSpeed vendor advisory‘s predecessor: the cPanel and WHM authentication bypass disclosed on April 28, CVE-2026-41940, which had been exploited in the wild since February 23 according to hosting provider KnownHost. Hosting.com, Namecheap, HostPapa, and InMotion Hosting blocked cPanel ports at the network level for days while the patch was finalized. The federal due date for that one was three weeks. Many private hosts moved faster than the federal floor required because they had no choice; the rest dragged.
The LiteSpeed plugin’s user base skews heavily toward exactly that long tail. The product’s strongest install base is WordPress-on-cPanel shared hosting, where a single physical server may carry hundreds of unrelated customer sites and where the customer typically has no visibility into whether the host has applied the underlying plugin patch. A government agency that contracts a microsite to a marketing vendor running on a LiteSpeed shared host is, in practical terms, not covered by Friday’s deadline, even if its .gov-adjacent traffic ultimately depends on the same vulnerable code path.
That asymmetry is the second-order story. CISA can shorten the FCEB clock to 24 hours and still leave the bulk of the realistic blast radius untouched.
A Second cPanel KEV in Five Weeks
The pattern matters more than either entry on its own. CVE-2026-48172 is the second cPanel-adjacent vulnerability CISA has added to the KEV catalog inside roughly five weeks, both with confirmed active exploitation, both touching the same hosting layer.
- April 28, 2026: CVE-2026-41940 disclosed, an unauthenticated authentication-bypass in cPanel and WHM with in-the-wild exploitation traced back to February. Hosting providers blocked cPanel ports network-wide while patches landed.
- May 19, 2026: LiteSpeed receives the CVE-2026-48172 report from researcher David Strydom and immediately publishes an uninstall command as a stopgap.
- May 21, 2026: LiteSpeed ships cPanel plugin v2.4.5 and WHM plugin v5.3.1.0 with the redisAble fix, alongside a public advisory confirming active exploitation.
- May 26, 2026: CISA lists the flaw in its KEV catalog with a three-day federal deadline.
Two critical vulnerabilities of this severity, both inside the same hosting toolchain, both already weaponized at disclosure, both shipped with mitigation guidance that hosts had to scramble to apply: that is a procurement story. Federal contracting offices that rely on managed service providers for web-facing infrastructure have been handed two consecutive proofs that the hosting layer is a single point of failure for any agency that did not ask, in writing, what the provider’s patch cadence looks like.
Detection Commands, Patch Path, and the Mitigation Fallback
LiteSpeed’s incident response guidance is unusually direct for a vendor advisory, and the language reads as someone who knows the bug is already being chained.
This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions between v2.3 and v2.4.4. If this command results in any output, we recommend you examine the IPs in the list, determine if they are valid, and if not, block them. To determine any damage done, examine the system logs for any actions taken by the detected IPs.
The advisory then publishes a one-line grep that runs against the cPanel log directories and flags any historical invocation of the vulnerable JSON API endpoint. Defenders should run it on every cPanel host they touch, regardless of patch status, because the indicator-of-compromise check looks back at logs from before the fix was available:
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
The patch path is straightforward: upgrade the user-end cPanel plugin to v2.4.7 or higher, which ships bundled with WHM plugin v5.3.1.0. For administrators who cannot upgrade inside the federal window, LiteSpeed published an uninstall command that removes the vulnerable plugin entirely:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
Removal is the cleaner option for any server where Redis page caching is not actively in use. The plugin can be reinstalled from a fixed release later. Discontinuation of the product, the BOD 22-01 fallback when no mitigation exists, is not required here because a vendor patch is available; agencies that miss Friday’s deadline cannot lean on the discontinuation clause to defer.
Past midnight on Friday, the federal civilian count of vulnerable LiteSpeed installs is a measurable thing. If that count is at zero by Saturday morning, the three-day window becomes the precedent for the next KEV entry of this severity. If it is not, the agency is going to have to explain why the same playbook it has been signaling for months did not work on its first real test.
Chrome 149 Patches 28 Security Flaws, 12 Memory-Safety Bugs 
NYT Strands Hints and Answers for Friday, June 12, 2026 
iPhone 18 Pro Max Leak Reveals Dark Cherry, Light Blue and Black 
Wikipedia’s ‘Which Came First?’ History Game Arrives on iPhone 
UFC 6 Launches June 19 With a Brazilian Engineer’s Build Behind It 
Apple’s Private Cloud Compute Reaches Google, Powered by NVIDIA