The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their systems against an actively exploited vulnerability affecting the LiteSpeed cPanel user-end plugin.
Tracked as CVE-2026-48172, the high-severity flaw allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux and CageFS.
The vulnerability affects all user-end plugin versions earlier than 2.4.8 and is caused by a UNIX symlink-following weakness.
LiteSpeed said the issue was discovered by Namecheap and warned in early June that it was being actively exploited in the wild. The company has since released security updates and urged customers to upgrade to the latest version of the cPanel user-end plugin, which is bundled with the WHM plugin.
To help administrators determine whether their servers may have been compromised, LiteSpeed recommends running a log search command that checks for indicators of exploitation.
According to the company, any matching results could indicate that attackers have already targeted the server. Administrators are advised to review system logs and investigate actions associated with any suspicious IP addresses.
On Monday, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and directed Federal Civilian Executive Branch agencies to apply mitigations within three days under Binding Operational Directive 26-04.
The directive, introduced last week, requires federal agencies to prioritize patching based on factors such as active exploitation, internet exposure, the potential for automated attacks and the level of access attackers could gain.
CISA warned that vulnerabilities of this type are frequently exploited by cybercriminals and pose significant risks to government networks.
The agency also advised organizations using affected cloud services to follow the relevant guidance under BOD 26-04 or discontinue use of vulnerable products if no mitigations are available.
Last month, CISA warned federal agencies about another actively exploited LiteSpeed cPanel vulnerability that allowed unauthenticated attackers to execute arbitrary scripts with root privileges.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
