Source linked

LiteSpeed cPanel Plugin Symlink Flaw Lets FTP Users Escalate to Root

bleepingcomputer.com@threat_watch1 hour ago·Cybersecurity·3 comments

CISA gives federal agencies three days to patch CVE-2026-48172, a high-severity symlink vulnerability in the LiteSpeed cPanel plugin that attackers are actively exploiting to gain root on shared hosting.

cisalitespeedcpanelcve 2026 48172cloudlinuxcagefs

Three days is all U.S. federal agencies get to fix CVE-2026-48172, a symlink following vulnerability in the LiteSpeed cPanel user-end plugin that attackers are actively exploiting to turn FTP or web shell access into root on shared hosting servers.

Namecheap reported the bug. LiteSpeed flagged it as actively exploited in early June and pushed version 2.4.8 as the fix. CISA added the CVE to its Known Exploited Vulnerabilities catalog on Monday, triggering the Binding Operational Directive 26-04 clock for FCEB agencies.

What the Symlink Flaw Actually Does

The vulnerability lives in all user-end plugin versions before 2.4.8. It's a UNIX symlink weakness that lets an attacker who already has FTP or web shell on a shared hosting server escalate privileges to root -- but only when the server runs CloudLinux with CageFS. That's a common isolation setup for shared hosts. An attacker with limited access can follow a crafted symlink to escape the cage and take full control of the host.

LiteSpeed's advisory calls it a high-severity flaw and warns that exploitation grants root privileges. No authentication bypass required; you just need that initial foothold.

How to Check for Compromise

LiteSpeed published a grep command to scan logs for signs of exploitation:

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

Any output means the server may have been hit. LiteSpeed advises examining system logs for actions tied to the detected IPs. If you're running a shared hosting environment with CloudLinux/CageFS and haven't updated the user-end plugin to 2.4.8, you're in the crosshairs.

CISA's New Patching Directive Changes the Game

CISA's BOD 26-04, issued last week, replaces the older BODs 19-02 and 22-01. It forces agencies to prioritize patching based on exploitation risk, with a three-day window for any vulnerability in the KEV catalog. Key risk factors: public exposure, automation potential, and whether a successful exploit grants partial or total system control. CVE-2026-48172 checks every box.

This marks the second LiteSpeed cPanel plugin CISA has flagged in recent weeks -- last month it was CVE-2026-48172 (different bug, same kind of active exploitation). If you manage shared hosting infrastructure, treat the plugin update like a fire drill. Attackers don't wait for compliance deadlines.

Source: CISA warns of another cPanel plugin flaw exploited in attacks
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Copilot's Gullibility Let Attackers Steal 2FA Codes Via Image Tags

Microsoft patched a max-critical vulnerability that allowed attackers to exfiltrate 2FA codes and other sensitive data from emails using markup language hidden in third-party content.

Three-Word Prompt 'Fix This Code' Triggered U.S. Export Ban on Anthropic's Fable 5

Researcher Katie Moussouris says the so-called jailbreak was just a request to fix buggy code, not a security bypass, and the ban hurts defenders more than attackers.

First In-The-Wild Malware Hides C2 Inside Microsoft Teams TURN Relays

Symantec found DragonForce ransomware using custom Go-based backdoor that hides command-and-control traffic within trusted Microsoft Teams relay infrastructure.

Wallpaper Engine Malware Uses 'Application' Wallpapers to Steal Steam Accounts

Kaspersky found dozens of malicious application wallpapers on Steam Workshop, with 89% of downloads targeting Chinese gamers, using DarkKomet backdoor and info-stealers to hijack accounts.

Comments load interactively on the live page.