27th May 2026 Cyber Update: LiteSpeed cPanel Flaw Puts Shared Hosting Servers on Notice

A newly escalated warning from CISA’s Known Exploited Vulnerabilities catalogue has placed a sharp spotlight on a security issue that matters well beyond one software plugin. The vulnerability, tracked as CVE-2026-48172, affects LiteSpeed’s user-end cPanel Plugin and has already been exploited in the wild. For hosting providers, digital agencies, managed service providers and organisations that depend on shared hosting platforms, the message is elegantly simple but operationally urgent: patch, verify, and do not assume that a low-privileged account is low risk.

What’s the update?

CISA added CVE-2026-48172 to its KEV catalogue on 26 May 2026, describing it as a LiteSpeed cPanel Plugin privilege escalation vulnerability that can be abused through the user-end cPanel plugin to execute arbitrary scripts with root privileges. The agency set a due date of 29 May 2026 for required action under its catalogue guidance, advising organisations to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use where mitigations are unavailable.

The LiteSpeed advisory says the affected component is the user-end plugin for cPanel, not the WHM plugin itself. LiteSpeed says versions 2.3 through 2.4.4 are at risk, and that any cPanel user, including an attacker using a compromised account, may exploit the lsws.redisAble function to execute arbitrary scripts as root. The company patched the issue in cPanel Plugin v2.4.5 and later released cPanel Plugin v2.4.7 bundled with WHM Plugin v5.3.1.0 after a broader security review.

The National Vulnerability Database lists CVE-2026-48172 as critical, with a CVSS 3.1 base score of 9.8, and notes that the recommended minimum version is 2.4.7. Industry Cyber observers have also reported active exploitation, while Field Effect warns that the issue is particularly serious in shared hosting environments, where a single compromised account can become a path to full server takeover.

Why does it matter?

The risk is not confined to one vulnerable plugin. It sits at the intersection of web hosting, customer isolation, privileged backend operations and the trust that many businesses place in outsourced infrastructure. In a shared hosting environment, one weak or compromised account can be enough to threaten other workloads on the same server if privilege boundaries fail. That is why this story deserves attention from business leaders as well as administrators.

For Australian organisations, the exposure may be indirect. A company may not run LiteSpeed or cPanel itself, yet its website, customer portal, marketing microsite or supplier-managed web application may depend on a hosting stack that does. This is a timely reminder that cyber risk often travels through operational convenience. Low-cost hosting, delegated administration and agency-managed environments can be perfectly legitimate business choices, but they still require evidence of patching, logging and incident review when active exploitation is confirmed.

The practical cost of delay is also clear. Root-level execution can allow an attacker to modify configurations, create persistence, interfere with hosted sites, steal data, implant malicious scripts or move towards broader compromise. The question for leadership is not only whether the organisation owns the server, but whether it knows who does, how quickly they patch, and whether they can prove the environment has been checked.

Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.