CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day

Users should upgrade to LiteSpeed WHM Plugin version 5.3.1.0 (bundled with the user-end plugin version 2.4.7) or higher, which contain patches for the vulnerability. If patching is not possible, users are advised to completely remove the plugin.On May 19, cPanel pushed a nightly update that removed the LiteSpeed user-end plugin for all cPanel versions,underliningthat the exploited CVE allowed unauthorized root access to the server.On Tuesday, CISAaddedCVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it or remove the vulnerable plugin versions by May 29, in line with Binding Operational Directive (BOD) 22-01 guidance.Related:Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell DeploymentRelated:Ghost CMS Vulnerability Exploited to Hack Over 700 WebsitesRelated:Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach VectorRelated:Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

On May 19, cPanel pushed a nightly update that removed the LiteSpeed user-end plugin for all cPanel versions,underliningthat the exploited CVE allowed unauthorized root access to the server.On Tuesday, CISAaddedCVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it or remove the vulnerable plugin versions by May 29, in line with Binding Operational Directive (BOD) 22-01 guidance.Related:Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell DeploymentRelated:Ghost CMS Vulnerability Exploited to Hack Over 700 WebsitesRelated:Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach VectorRelated:Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

On Tuesday, CISAaddedCVE-2026-48172 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it or remove the vulnerable plugin versions by May 29, in line with Binding Operational Directive (BOD) 22-01 guidance.Related:Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell DeploymentRelated:Ghost CMS Vulnerability Exploited to Hack Over 700 WebsitesRelated:Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach VectorRelated:Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

Related:Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell DeploymentRelated:Ghost CMS Vulnerability Exploited to Hack Over 700 WebsitesRelated:Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach VectorRelated:Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

Related:Ghost CMS Vulnerability Exploited to Hack Over 700 WebsitesRelated:Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach VectorRelated:Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

Related:Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach VectorRelated:Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

Related:Over 40,000 Servers Compromised in Ongoing cPanel Exploitation

Ionut Arghire is an international correspondent for SecurityWeek.

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.

Source: SecurityWeek