CISA gives feds 4 days to patch actively exploited cPanel plugin flaw
Recorded: May 27, 2026, 1:23 p.m.
| Original | Summarized |
CISA gives feds 4 days to patch actively exploited cPanel plugin flaw News Featured Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign Laravel Lang packages hijacked to deploy credential-stealing malware Netherlands seizes 800 servers of hosting firm enabling cyberattacks Ubiquiti patches three max severity UniFi OS vulnerabilities FBI warns of in-person data theft attacks from extortion gang Your grocery routine’s easiest upgrade is a Sam’s Club membership for just $25 CISA gives feds 4 days to patch actively exploited cPanel plugin flaw Dutch police arrests suspect linked to Ajax football club hack Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityCISA gives feds 4 days to patch actively exploited cPanel plugin flaw CISA gives feds 4 days to patch actively exploited cPanel plugin flaw By Sergiu Gatlan May 27, 2026 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks. grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Related Articles: Actively Exploited Sergiu Gatlan Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories FBI warns of Kali365 phishing service targeting Microsoft 365 accounts Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign Anthropic’s restricted Claude Mythos model may be coming to Claude Code Sponsor Posts Protect Your Business from Ecommerce Fraud AI is a data-breach time bomb: Read the new report 33% Rise in Healthcare Credential Theft in 2025: What you need to know Overdue a password health-check? Audit your Active Directory for free Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a directive granting U.S. federal agencies a four-day window to secure their systems against a critical vulnerability in the LiteSpeed cPanel user-end plugin that is currently being actively exploited. This vulnerability, identified as CVE-2026-48172, is a privilege escalation flaw stemming from the improper handling of Redis enable/disable features within the lsws.redisAble function. This weakness allows remote attackers, who possess no prior privileges, to execute arbitrary scripts with root privileges on the affected systems. LiteSpeed released urgent security updates on Thursday to address this flaw, advising users to update their cPanel user-end plugin, which is bundled with the WHM plugin, to the latest version. The vulnerability specifically impacts user-end plugin versions ranging from v2.3 to v2.4.4. To determine if a server is susceptible to the CVE-2026-48172 attack, users are advised to execute a specific command to search server logs for instances of the vulnerable function calls. The LiteSpeed team warned that if this command yields any output, defenders should examine the associated IP addresses, verify their legitimacy, and block them, while also analyzing system logs to ascertain any damage inflicted. CISA formally cataloged this security flaw and mandated that U.S. federal agencies patch their systems by midnight on Friday, May 29, in compliance with the Binding Operational Directive (BOD) 22-01. Although BOD 22-01 applies specifically to federal agencies, CISA strongly urged all defenders, including entities in the private sector, to prioritize applying patches for CVE-2026-48172 and immediately secure their servers. The cybersecurity agency stressed that this type of vulnerability represents a frequent attack vector for malicious cyber actors and consequently poses significant risks to federal enterprise. Mitigation strategies involve applying instructions provided by the vendor, adhering to the guidance in BOD 22-01 for cloud services, or ceasing the use of the affected product if appropriate mitigations cannot be implemented. |