Vulnerability Management , Patch/Configuration Management CISA adds LiteSpeed cPanel plugin bug to exploited vulnerabilities list May 27, 2026 Share By Steve Zurier (Adobe Stock) The Cybersecurity and Infrastructure Security Agency (CISA) on May 26 added a critical LiteSpeed cPanel plugin bug to its Known Exploited Vulnerabilities (KEV) catalog. The 9.8 bug — CVE-2026-48172 — operates as a privilege escalation flaw and has been actively exploited in the wild. CISA ordered federal agencies to patch or remove vulnerable versions of the plugin by May 29. LiteSpeed advised security teams to patch to the latest cPanel plugin. Security pros were concerned about this case because LiteSpeed has grown into the third largest web server, mainly because it reads Apache configuration natively, letting hosting providers swap Apache for better performance with minimal effort. Jacob Krell, senior director for secure AI solutions and cybersecurity at Suzu Labs, said that widespread adoption made it the default engine in cPanel shared hosting, where major providers serve millions of sites on LiteSpeed infrastructure. “CVE-2026-48172 gives any compromised cPanel account root access to the entire server,” said Krell. “Attackers are increasingly targeting the platforms companies depend on rather than company networks directly — and on shared hosting, one compromised server exposes hundreds of tenants through a plugin they never chose.” Krell added that CVE-2026-41940 compromised approximately 44,000 cPanel servers less than a month ago, so a second critical zero-day in the same ecosystem is a pattern — CISA's two-day remediation deadline reflects that. “Agentic AI is compressing the window between disclosure and exploitation to hours,” said Krell. Itai Goldman, co-founder and CTO at Miggo Security, added that in the first case with CVE-2026-41940, a critical 9.8 cPanel bug was weaponized to drop Mirai and ransomware at scale across the same hosting stack. On shared hosting, Goldman said root on one server means every tenant on it is compromised. “Patch now, run the IOC check, and if you get a hit, assume attacker persistence,” said Goldman. “The deeper lesson is architectural: privileged endpoints exposed by default is the pattern defenders need to stop accepting." Matan Shavit, GM, North America at Hadrian, added that if a normal customer account, or one that has already been compromised, can be used to get control of the whole server, that’s not just another plugin vulnerability — on a multi-tenant box, one weak account can suddenly put other customers in scope, too. “I would still be careful with the take that everyone is exposed,” said Shavit. “This is not automatically relevant to every LiteSpeed install. It depends on the affected cPanel plugin being present and reachable in that hosting setup. For hosts running that stack, patch fast and then check for abuse. For everyone else, first scope whether the vulnerable component is actually installed.” Steve Zurier Related Vulnerability Management Drupal bug added to CISA list of known exploited vulnerabilities Steve Zurier May 26, 2026 Drupal SQL injection flaw CVE-2026-9082 added to CISA KEV as active attacks target sites. Vulnerability Management Critical vulnerability in Universal Robots’ PolyScope OS allows remote command execution SC Staff May 26, 2026 The vulnerability, tracked as CVE-2026-8153 with a CVSS score of 9.8, affects all PolyScope software versions prior to 5.25.1. Vulnerability Management Zero-day vulnerability in Japanese LMS exploited to deploy Cobalt Strike SC Staff May 26, 2026 The vulnerability, CVE-2026-5426, stems from the use of hard-coded ASP.NET machine keys within the LMS. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds